| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20251119224140.8616-10-david.laight.linux@gmail.com>
Date: Wed, 19 Nov 2025 22:41:05 +0000
From: david.laight.linux@...il.com
To: linux-kernel@...r.kernel.org,
netdev@...r.kernel.org
Cc: David Ahern <dsahern@...nel.org>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
David Laight <david.laight.linux@...il.com>
Subject: [PATCH 09/44] ipv6: __ip6_append_data() don't abuse max_t() casts
From: David Laight <david.laight.linux@...il.com>
The implicit casts done by max_t() should only really be used to
convert positive values to signed or unsigned types.
In the EMSGSIZE error path
pmtu = max_t(int, mtu - headersize + sizeof(struct ipv6hdr), 0);
is being used to convert a large unsigned value to a signed negative one.
Rework using a signed temporary variable and max(pmtu, 0), as well as
casting sizeof() to (int) - which is where the unsignedness comes from.
Signed-off-by: David Laight <david.laight.linux@...il.com>
---
net/ipv6/ip6_output.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index f904739e99b9..6fecf2f2cc9a 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1440,7 +1440,7 @@ static int __ip6_append_data(struct sock *sk,
struct sk_buff *skb, *skb_prev = NULL;
struct inet_cork *cork = &cork_full->base;
struct flowi6 *fl6 = &cork_full->fl.u.ip6;
- unsigned int maxfraglen, fragheaderlen, mtu, orig_mtu, pmtu;
+ unsigned int maxfraglen, fragheaderlen, mtu, orig_mtu;
struct ubuf_info *uarg = NULL;
int exthdrlen = 0;
int dst_exthdrlen = 0;
@@ -1504,9 +1504,10 @@ static int __ip6_append_data(struct sock *sk,
maxnonfragsize = mtu;
if (cork->length + length > maxnonfragsize - headersize) {
+ int pmtu;
emsgsize:
- pmtu = max_t(int, mtu - headersize + sizeof(struct ipv6hdr), 0);
- ipv6_local_error(sk, EMSGSIZE, fl6, pmtu);
+ pmtu = mtu - headersize + (int)sizeof(struct ipv6hdr);
+ ipv6_local_error(sk, EMSGSIZE, fl6, max(pmtu, 0));
return -EMSGSIZE;
}
--
2.39.5
Powered by blists - more mailing lists