lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANn89iL3iWQkhbJ1-YgJ_DQErkhB6=rOD_JuJBiJaEb+36QrkA@mail.gmail.com> Date: Wed, 12 Oct 2022 05:31:50 -0700 From: Eric Dumazet <edumazet@...gle.com> To: Lu Wei <luwei32@...wei.com> Cc: davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com, yoshfuji@...ux-ipv6.org, dsahern@...nel.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH -next] tcp: fix a signed-integer-overflow bug in tcp_add_backlog() On Wed, Oct 12, 2022 at 2:35 AM Lu Wei <luwei32@...wei.com> wrote: > > The type of sk_rcvbuf and sk_sndbuf in struct sock is int, and > in tcp_add_backlog(), the variable limit is caculated by adding > sk_rcvbuf, sk_sndbuf and 64 * 1024, it may exceed the max value > of u32 and be truncated. So change it to u64 to avoid a potential > signed-integer-overflow, which leads to opposite result is returned > in the following function. > > Signed-off-by: Lu Wei <luwei32@...wei.com> You need to add a Fixes: tag, please. > --- > include/net/sock.h | 4 ++-- > net/ipv4/tcp_ipv4.c | 6 ++++-- > 2 files changed, 6 insertions(+), 4 deletions(-) > > diff --git a/include/net/sock.h b/include/net/sock.h > index 08038a385ef2..fc0fa29d8865 100644 > --- a/include/net/sock.h > +++ b/include/net/sock.h > @@ -1069,7 +1069,7 @@ static inline void __sk_add_backlog(struct sock *sk, struct sk_buff *skb) > * Do not take into account this skb truesize, > * to allow even a single big packet to come. > */ > -static inline bool sk_rcvqueues_full(const struct sock *sk, unsigned int limit) > +static inline bool sk_rcvqueues_full(const struct sock *sk, u64 limit) > { > unsigned int qsize = sk->sk_backlog.len + atomic_read(&sk->sk_rmem_alloc); qsize would then overflow :/ I would rather limit sk_rcvbuf and sk_sndbuf to 0x7fff0000, instead of 0x7ffffffe If really someone is using 2GB for both send and receive queues, I doubt removing 64KB will be a problem.
Powered by blists - more mailing lists