| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20210221123912.3185059-1-snovitoll@gmail.com>
Date: Sun, 21 Feb 2021 18:39:12 +0600
From: Sabyrzhan Tasbolatov <snovitoll@...il.com>
To: eric.dumazet@...il.com
Cc: davem@...emloft.net, kuba@...nel.org, linux-kernel@...r.kernel.org,
netdev@...r.kernel.org, snovitoll@...il.com,
syzbot+c2a7e5c5211605a90865@...kaller.appspotmail.com
Subject: Re: [PATCH] net/qrtr: restrict length in qrtr_tun_write_iter()
> Do we really expect to accept huge lengths here ?
Sorry for late response but I couldnt find any reference to the max
length of incoming data for qrtr TUN interface.
> qrtr_endpoint_post() will later attempt a netdev_alloc_skb() which will need
> some extra space (for struct skb_shared_info)
Thanks, you're right, qrtr_endpoint_post() will alloc another slab buffer.
We can check the length of skb allocation but we need to do following:
int qrtr_endpoint_post(.., const void *data, size_t len)
{
..
when QRTR_PROTO_VER_1:
hdrlen = sizeof(*data);
when QRTR_PROTO_VER_2:
hdrlen = sizeof(*data) + data->optlen;
len = (KMALLOC_MAX_SIZE - hdrlen) % data->size;
skb = netdev_alloc_skb(NULL, len);
..
skb_put_data(skb, data + hdrlen, size);
So it requires refactoring as in qrtr_tun_write_iter() we just allocate and
pass it to qrtr_endpoint_post() and there
we need to do len calculation as above *before* netdev_alloc_skb(NULL, len).
Perhaps there is a nicer solution though.
Powered by blists - more mailing lists