| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7723cc01-57bf-2b64-7f78-98a0e6508a2e@huawei.com>
Date: Fri, 2 Jun 2023 10:50:44 +0800
From: "luwei (O)" <luwei32@...wei.com>
To: Networking <netdev@...r.kernel.org>
Subject: [Question] integer overflow in function __qdisc_calculate_pkt_len()
Hi list,
I found an integer overflow issue in function
__qdisc_calculate_pkt_len(), the root cause is overhead and cell_align
in stab is not checked.
For example, if overhead is set to -2147483559 and cell_align is set to
-32767 (tc tool limit it to 0 and -1, but other values can be set with
netlink api),
the integer overflow occurs:
568 void __qdisc_calculate_pkt_len(struct sk_buff *skb,
569 const struct qdisc_size_table *stab)
570 {
571 int pkt_len, slot;
572
573 pkt_len = skb->len + stab->szopts.overhead; (1)
574 if (unlikely(!stab->szopts.tsize))
575 goto out;
576
577 slot = pkt_len + stab->szopts.cell_align; (2)
578 if (unlikely(slot < 0))
579 slot = 0;
if skb->len is 66, slot will be 66 + (-2147483559) + (-32767) =
2147451036, and pkt_len will be 2147451040 finally. I think the value
of overhead and cell_align
should be limited, but not sure to which values they should be limited,
can any one give me some suggestions?
--
Best Regards,
Lu Wei
Powered by blists - more mailing lists