net: sock: validate data_len before allocating skb in sock_alloc_send_pskb()

[ Upstream commit cc9b17ad29ecaa20bfe426a8d4dbfb94b13ff1cc ]

We need to validate the number of pages consumed by data_len, otherwise frags
array could be overflowed by userspace. So this patch validate data_len and
return -EMSGSIZE when data_len may occupies more frags than MAX_SKB_FRAGS.

Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/core/sock.c b/net/core/sock.c
index b2e14c07d9205467f0a8d83af3fe6108d277a15f..0f8402ea434b134694584c0482ce04ba2bf0d756 100644 (file)
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1600,6 +1600,11 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
        gfp_t gfp_mask;
        long timeo;
        int err;
+       int npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
+
+       err = -EMSGSIZE;
+       if (npages > MAX_SKB_FRAGS)
+               goto failure;
 
        gfp_mask = sk->sk_allocation;
        if (gfp_mask & __GFP_WAIT)
@@ -1618,14 +1623,12 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
                if (atomic_read(&sk->sk_wmem_alloc) < sk->sk_sndbuf) {
                        skb = alloc_skb(header_len, gfp_mask);
                        if (skb) {
-                               int npages;
                                int i;
 
                                /* No pages, we're done... */
                                if (!data_len)
                                        break;
 
-                               npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
                                skb->truesize += data_len;
                                skb_shinfo(skb)->nr_frags = npages;
                                for (i = 0; i < npages; i++) {