| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 5 Jun 2023 16:19:22 -0700
From: Jakub Kicinski <kuba@...nel.org>
To: "luwei (O)" <luwei32@...wei.com>
Cc: Networking <netdev@...r.kernel.org>
Subject: Re: [Question] integer overflow in function
__qdisc_calculate_pkt_len()
On Fri, 2 Jun 2023 10:50:44 +0800 luwei (O) wrote:
> I found an integer overflow issue in function
> __qdisc_calculate_pkt_len(), the root cause is overhead and cell_align
> in stab is not checked.
>
> For example, if overhead is set to -2147483559 and cell_align is set to
> -32767 (tc tool limit it to 0 and -1, but other values can be set with
> netlink api),
>
> the integer overflow occurs:
>
> 568 void __qdisc_calculate_pkt_len(struct sk_buff *skb,
> 569 const struct qdisc_size_table *stab)
> 570 {
> 571 int pkt_len, slot;
> 572
> 573 pkt_len = skb->len + stab->szopts.overhead; (1)
> 574 if (unlikely(!stab->szopts.tsize))
> 575 goto out;
> 576
> 577 slot = pkt_len + stab->szopts.cell_align; (2)
> 578 if (unlikely(slot < 0))
> 579 slot = 0;
>
> if skb->len is 66, slot will be 66 + (-2147483559) + (-32767) =
> 2147451036, and pkt_len will be 2147451040 finally. I think the value
> of overhead and cell_align
>
> should be limited, but not sure to which values they should be limited,
> can any one give me some suggestions?
on a quick look limiting the cell_align to S16_MIN at the netlink level
(NLA_POLICY_MIN()) seems reasonable, feel free to send a patch.
Powered by blists - more mailing lists