| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251106222835.1871628-1-nate.karstens@garmin.com>
Date: Thu, 6 Nov 2025 16:28:33 -0600
From: Nate Karstens <nate.karstens@...min.com>
To: <netdev@...r.kernel.org>
CC: Nate Karstens <nate.karstens@...min.com>,
Nate Karstens
<nate.karstens@...il.com>,
Tom Herbert <tom@...ntonium.net>,
Sabrina Dubroca
<sd@...asysnail.net>,
Jacob Keller <jacob.e.keller@...el.com>, <stable@...r.kernel.org>,
"David S. Miller" <davem@...emloft.net>,
"Eric
Dumazet" <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni
<pabeni@...hat.com>,
Simon Horman <horms@...nel.org>,
Martin KaFai Lau
<martin.lau@...nel.org>,
Jakub Sitnicki <jakub@...udflare.com>, Jiayuan Chen
<mrpre@....com>,
"Dr. David Alan Gilbert" <linux@...blig.org>,
Tom Herbert
<tom@...bertland.com>, <linux-kernel@...r.kernel.org>
Subject: [PATCH net v2] strparser: Fix signed/unsigned mismatch bug
The `len` member of the sk_buff is an unsigned int. This is cast to
`ssize_t` (a signed type) for the first sk_buff in the comparison,
but not the second sk_buff. On 32-bit systems, this can result in
an integer underflow for certain values because unsigned arithmetic
is being used.
This appears to be an oversight: if the intention was to use unsigned
arithmetic, then the first cast would have been omitted. The change
ensures both len values are cast to `ssize_t`.
The underflow causes an issue with ktls when multiple TLS PDUs are
included in a single TCP segment. The mainline kernel does not use
strparser for ktls anymore, but this is still useful for other
features that still use strparser, and for backporting.
Signed-off-by: Nate Karstens <nate.karstens@...min.com>
Cc: stable@...r.kernel.org
Fixes: 43a0c6751a32 ("strparser: Stream parser for messages")
---
net/strparser/strparser.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/strparser/strparser.c b/net/strparser/strparser.c
index 43b1f558b33d..e659fea2da70 100644
--- a/net/strparser/strparser.c
+++ b/net/strparser/strparser.c
@@ -238,7 +238,7 @@ static int __strp_recv(read_descriptor_t *desc, struct sk_buff *orig_skb,
strp_parser_err(strp, -EMSGSIZE, desc);
break;
} else if (len <= (ssize_t)head->len -
- skb->len - stm->strp.offset) {
+ (ssize_t)skb->len - stm->strp.offset) {
/* Length must be into new skb (and also
* greater than zero)
*/
--
2.34.1
Powered by blists - more mailing lists