[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANn89iJ39Hguu6bRm2am6J_u0pSnm++ORa_UVpC0+8-mxORFfw@mail.gmail.com>
Date: Mon, 18 Sep 2023 16:04:49 +0200
From: Eric Dumazet <edumazet@...gle.com>
To: Willem de Bruijn <willemdebruijn.kernel@...il.com>
Cc: David Howells <dhowells@...hat.com>,
syzbot <syzbot+62cbf263225ae13ff153@...kaller.appspotmail.com>, bpf@...r.kernel.org,
davem@...emloft.net, dsahern@...nel.org, kuba@...nel.org,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org, pabeni@...hat.com,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [net?] WARNING in __ip6_append_data
On Mon, Sep 18, 2023 at 3:58 PM Willem de Bruijn
<willemdebruijn.kernel@...il.com> wrote:
>
> David Howells wrote:
> > David Howells <dhowells@...hat.com> wrote:
> >
> > > I think the attached is probably an equivalent cleaned up reproducer. Note
> > > that if the length given to sendfile() is less than 65536, it fails with
> > > EINVAL before it gets into __ip6_append_data().
> >
> > Actually, it only fails with EINVAL if the size is not a multiple of the block
> > size of the source file because it's open O_DIRECT so, say, 65536-512 is fine
> > (and works).
> >
> > But thinking more on this further, is this even a bug in my code, I wonder?
> > The length passed is 65536 - but a UDP packet can't carry that, so it
> > shouldn't it have errored out before getting that far? (which is what it
> > seems to do when I try it).
> >
> > I don't see how we get past the length check in ip6_append_data() with the
> > reproducer we're given unless the MTU is somewhat bigger than 65536 (is that
> > even possible?)
>
> An ipv6 packet can carry 64KB of payload, so maxnonfragsize of 65535 + 40
> sounds correct. But payload length passed of 65536 is not (ignoring ipv6
> jumbograms). So that should probably trigger an EINVAL -- if that is indeed
> what the repro does.
l2tp_ip6_sendmsg() claims ip6_append_data() can make better checks,
but what about simply replacing INT_MAX by 65535 ?
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index 44cfb72bbd18a34e83e50bebca09729c55df524f..ab57a134923bfc8040dba0d8fb702551ff265184
100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -502,10 +502,7 @@ static int l2tp_ip6_sendmsg(struct sock *sk,
struct msghdr *msg, size_t len)
int ulen;
int err;
- /* Rough check on arithmetic overflow,
- * better check is made in ip6_append_data().
- */
- if (len > INT_MAX - transhdrlen)
+ if (len > 65535 - transhdrlen)
return -EMSGSIZE;
ulen = len + transhdrlen;
Powered by blists - more mailing lists