lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <874iywux7o.fsf@toke.dk>
Date: Thu, 10 Apr 2025 12:28:43 +0200
From: Toke Høiland-Jørgensen <toke@...hat.com>
To: Cong Wang <xiyou.wangcong@...il.com>
Cc: Jamal Hadi Salim <jhs@...atatu.com>, Jiri Pirko <jiri@...nulli.us>, Ilya
 Maximets <i.maximets@...hat.com>, Frode Nordahl
 <frode.nordahl@...onical.com>, "David S. Miller" <davem@...emloft.net>,
 Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>,
 Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>,
 netdev@...r.kernel.org
Subject: Re: [PATCH net] tc: Ensure we have enough buffer space when sending
 filter netlink notifications

Cong Wang <xiyou.wangcong@...il.com> writes:

> On Mon, Apr 07, 2025 at 12:55:34PM +0200, Toke Høiland-Jørgensen wrote:
>> +static struct sk_buff *tfilter_notify_prep(struct net *net,
>> +					   struct sk_buff *oskb,
>> +					   struct nlmsghdr *n,
>> +					   struct tcf_proto *tp,
>> +					   struct tcf_block *block,
>> +					   struct Qdisc *q, u32 parent,
>> +					   void *fh, int event,
>> +					   u32 portid, bool rtnl_held,
>> +					   struct netlink_ext_ack *extack)
>> +{
>> +	unsigned int size = oskb ? max(NLMSG_GOODSIZE, oskb->len) : NLMSG_GOODSIZE;
>> +	struct sk_buff *skb;
>> +	int ret;
>> +
>> +retry:
>> +	skb = alloc_skb(size, GFP_KERNEL);
>> +	if (!skb)
>> +		return ERR_PTR(-ENOBUFS);
>> +
>> +	ret = tcf_fill_node(net, skb, tp, block, q, parent, fh, portid,
>> +			    n->nlmsg_seq, n->nlmsg_flags, event, false,
>> +			    rtnl_held, extack);
>> +	if (ret <= 0) {
>> +		kfree_skb(skb);
>> +		if (ret == -EMSGSIZE) {
>> +			size += NLMSG_GOODSIZE;
>> +			goto retry;
>
> It is a bit concerning to see this technically unbound loop.

Well, I did think about that. The loop will terminate eventually by
either succeeding, or failing the allocation. Most likely the former,
since this is only called after a filter has been successfully
installed. I.e., it's not like the amount of data being put into the skb
is unbounded.

>> +		}
>> +		return ERR_PTR(-EINVAL);
>
> I think you probably want to propagate the error code from
> tcf_fill_node() here.

I just kept the existing return value (of tfilter_notify()) for the same
error case. tcf_fill_node() always returns -1 on error, so I think it
makes more sense to keep this?

Paolo already merged the patch, and I don't think it's worth it to
follow up with any fixes, cf the above. WDYT?

-Toke

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ