[Socketcan-users] [PATCH 1/2] can/gw: Routed messages need valid skb->sk

Mon, 06 Dec 2010 05:06:24 -0800 

skb->sk is used in dev_pick_tx() which is called from dev_queue_xmit(). If
sk points to an arbitrary magic value, dev_pick_tx() returns a wrong value,
which can lead to various memory corruption bugs.

In commit a4ee3ce3293dc931fab19beb472a8bde1295aebe dev_pick_tx() was
changed  to look the new field in socket called sk_tx_queue_mapping.
---
 net/can/gw.c |   11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/net/can/gw.c b/net/can/gw.c
index 3e9fd3e..d21b678 100644
--- a/net/can/gw.c
+++ b/net/can/gw.c
@@ -58,6 +58,7 @@
 #include <socketcan/can/gw.h>
 #include <net/rtnetlink.h>
 #include <net/net_namespace.h>
+#include <net/sock.h>
 
 #define CAN_GW_VERSION "20101205"
 static __initdata const char banner[] =
@@ -73,7 +74,11 @@ static struct notifier_block notifier;
 
 static struct kmem_cache *cgw_cache __read_mostly;
 
-#define CGW_SK_MAGIC ((void *)(&notifier))
+static struct sock gw_dummy_sk = {
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,33)
+       .sk_tx_queue_mapping = -1,
+#endif
+};
 
 /* structure that contains the (on-the-fly) CAN frame modifications */
 struct cf_mod {
@@ -343,7 +348,7 @@ static void can_can_gw_rcv(struct sk_buff *skb, void *data)
        int modidx = 0;
 
        /* do not handle already routed frames */
-       if (skb->sk == CGW_SK_MAGIC)
+       if (skb->sk == &gw_dummy_sk)
                return;
 
        if (!(gwj->dst.dev->flags & IFF_UP)) {
@@ -368,7 +373,7 @@ static void can_can_gw_rcv(struct sk_buff *skb, void *data)
        }
 
        /* mark routed frames with a 'special' sk value */
-       nskb->sk = CGW_SK_MAGIC;
+       nskb->sk = &gw_dummy_sk;
        nskb->dev = gwj->dst.dev;
 
        /* pointer to modifiable CAN frame */
-- 
1.7.2.3

_______________________________________________
Socketcan-users mailing list
[email protected]
https://lists.berlios.de/mailman/listinfo/socketcan-users

Reply via email to