Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932073AbdCBFWk (ORCPT <rfc822;w@1wt.eu>);
        Thu, 2 Mar 2017 00:22:40 -0500
Received: from mail-wr0-f181.google.com ([209.85.128.181]:36080 "EHLO
        mail-wr0-f181.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750714AbdCBFWa (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 2 Mar 2017 00:22:30 -0500
MIME-Version: 1.0
In-Reply-To: <20170301115720.99985-1-glider@google.com>
References: <20170301115720.99985-1-glider@google.com>
From: Cong Wang <xiyou.wangcong@gmail.com>
Date: Wed, 1 Mar 2017 21:13:02 -0800
Message-ID: <CAM_iQpWks1E0vGGTSsEn0a6mVy+gNRtqW3p42ik7AfcH1w4MdQ@mail.gmail.com>
Subject: Re: [PATCH v4] net: don't call strlen() on the user buffer in packet_bind_spkt()
To: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>, Kostya Serebryany <kcc@google.com>,
        Eric Dumazet <edumazet@google.com>,
        LKML <linux-kernel@vger.kernel.org>,
        Linux Kernel Network Developers <netdev@vger.kernel.org>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 542
Lines: 14

On Wed, Mar 1, 2017 at 3:57 AM, Alexander Potapenko <glider@google.com> wrote:
> This happens because addr.sa_data copied from the userspace is not
> zero-terminated, and copying it with strlcpy() in packet_bind_spkt()
> results in calling strlen() on the kernel copy of that non-terminated
> buffer.

Very similar to

commit b301f2538759933cf9ff1f7c4f968da72e3f0757
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Thu Mar 24 21:29:53 2016 +0100

    netfilter: x_tables: enforce nul-terminated table name from
getsockopt GET_ENTRIES