From: Antonio Quartulli <antonio@meshcoding.com>
To: davem@davemloft.net
Cc: netdev@vger.kernel.org, b.a.t.m.a.n@lists.open-mesh.org,
Antonio Quartulli <antonio@meshcoding.com>,
Marek Lindner <mareklindner@neomailbox.ch>
Subject: [B.A.T.M.A.N.] [PATCH 10/15] batman-adv: Fix gw_bandwidth calculation on 32 bit systems
Date: Tue, 25 Aug 2015 13:02:34 +0200 [thread overview]
Message-ID: <1440500559-28368-11-git-send-email-antonio@meshcoding.com> (raw)
In-Reply-To: <1440500559-28368-1-git-send-email-antonio@meshcoding.com>
From: Sven Eckelmann <sven@narfation.org>
The TVLV for the gw_bandwidth stores everything as u32. But the
gw_bandwidth reads the signed long which limits the maximum value to
(2 ** 31 - 1) on systems with 4 byte long. Also the input value is always
converted from either Mibit/s or Kibit/s to 100Kibit/s. This reduces the
values even further when the user sets it via the default unit Kibit/s. It
may even cause an integer overflow and end up with a value the user never
intended.
Instead read the values as u64, check for possible overflows, do the unit
adjustments and then reduce the size to u32.
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
---
net/batman-adv/gateway_common.c | 49 +++++++++++++++++++++++++++++++++++------
1 file changed, 42 insertions(+), 7 deletions(-)
diff --git a/net/batman-adv/gateway_common.c b/net/batman-adv/gateway_common.c
index 6b930a6..0cb5e6b 100644
--- a/net/batman-adv/gateway_common.c
+++ b/net/batman-adv/gateway_common.c
@@ -22,6 +22,7 @@
#include <linux/errno.h>
#include <linux/byteorder/generic.h>
#include <linux/kernel.h>
+#include <linux/math64.h>
#include <linux/netdevice.h>
#include <linux/stddef.h>
#include <linux/string.h>
@@ -44,7 +45,7 @@ static bool batadv_parse_gw_bandwidth(struct net_device *net_dev, char *buff,
{
enum batadv_bandwidth_units bw_unit_type = BATADV_BW_UNIT_KBIT;
char *slash_ptr, *tmp_ptr;
- long ldown, lup;
+ u64 ldown, lup;
int ret;
slash_ptr = strchr(buff, '/');
@@ -62,7 +63,7 @@ static bool batadv_parse_gw_bandwidth(struct net_device *net_dev, char *buff,
*tmp_ptr = '\0';
}
- ret = kstrtol(buff, 10, &ldown);
+ ret = kstrtou64(buff, 10, &ldown);
if (ret) {
batadv_err(net_dev,
"Download speed of gateway mode invalid: %s\n",
@@ -72,14 +73,31 @@ static bool batadv_parse_gw_bandwidth(struct net_device *net_dev, char *buff,
switch (bw_unit_type) {
case BATADV_BW_UNIT_MBIT:
- *down = ldown * 10;
+ /* prevent overflow */
+ if (U64_MAX / 10 < ldown) {
+ batadv_err(net_dev,
+ "Download speed of gateway mode too large: %s\n",
+ buff);
+ return false;
+ }
+
+ ldown *= 10;
break;
case BATADV_BW_UNIT_KBIT:
default:
- *down = ldown / 100;
+ ldown = div_u64(ldown, 100);
break;
}
+ if (U32_MAX < ldown) {
+ batadv_err(net_dev,
+ "Download speed of gateway mode too large: %s\n",
+ buff);
+ return false;
+ }
+
+ *down = ldown;
+
/* we also got some upload info */
if (slash_ptr) {
bw_unit_type = BATADV_BW_UNIT_KBIT;
@@ -95,7 +113,7 @@ static bool batadv_parse_gw_bandwidth(struct net_device *net_dev, char *buff,
*tmp_ptr = '\0';
}
- ret = kstrtol(slash_ptr + 1, 10, &lup);
+ ret = kstrtou64(slash_ptr + 1, 10, &lup);
if (ret) {
batadv_err(net_dev,
"Upload speed of gateway mode invalid: %s\n",
@@ -105,13 +123,30 @@ static bool batadv_parse_gw_bandwidth(struct net_device *net_dev, char *buff,
switch (bw_unit_type) {
case BATADV_BW_UNIT_MBIT:
- *up = lup * 10;
+ /* prevent overflow */
+ if (U64_MAX / 10 < lup) {
+ batadv_err(net_dev,
+ "Upload speed of gateway mode too large: %s\n",
+ slash_ptr + 1);
+ return false;
+ }
+
+ lup *= 10;
break;
case BATADV_BW_UNIT_KBIT:
default:
- *up = lup / 100;
+ lup = div_u64(lup, 100);
break;
}
+
+ if (U32_MAX < lup) {
+ batadv_err(net_dev,
+ "Upload speed of gateway mode too large: %s\n",
+ slash_ptr + 1);
+ return false;
+ }
+
+ *up = lup;
}
return true;
--
2.5.0
next prev parent reply other threads:[~2015-08-25 11:02 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-25 11:02 [B.A.T.M.A.N.] pull request: batman-adv 20150825 Antonio Quartulli
2015-08-25 11:02 ` Antonio Quartulli
2015-08-25 11:02 ` [PATCH 01/15] batman-adv: Replace C99 int types with kernel type Antonio Quartulli
2015-08-25 11:02 ` [B.A.T.M.A.N.] " Antonio Quartulli
2015-08-25 11:02 ` [B.A.T.M.A.N.] [PATCH 02/15] batman-adv: Fix kerneldoc over 80 column lines Antonio Quartulli
2015-08-25 11:02 ` Antonio Quartulli
2015-08-25 11:02 ` [B.A.T.M.A.N.] [PATCH 03/15] batman-adv: Remove multiple assignment per line Antonio Quartulli
2015-08-25 11:02 ` Antonio Quartulli
2015-08-25 11:02 ` [PATCH 04/15] batman-adv: update kernel doc of batadv_tt_global_del_orig_entry() Antonio Quartulli
2015-08-25 11:02 ` [B.A.T.M.A.N.] " Antonio Quartulli
2015-08-25 11:02 ` [B.A.T.M.A.N.] [PATCH 05/15] batman-adv: rename batadv_new_tt_req_node to batadv_tt_req_node_new Antonio Quartulli
2015-08-25 11:02 ` Antonio Quartulli
2015-08-25 11:02 ` [B.A.T.M.A.N.] [PATCH 06/15] batman-adv: Remove batadv_ types forward declarations Antonio Quartulli
2015-08-25 11:02 ` Antonio Quartulli
2015-08-25 11:02 ` [B.A.T.M.A.N.] [PATCH 07/15] batman-adv: convert orig_node->vlan_list to hlist Antonio Quartulli
2015-08-25 11:02 ` Antonio Quartulli
2015-08-25 11:02 ` [B.A.T.M.A.N.] [PATCH 08/15] batman-adv: prevent potential hlist double deletion Antonio Quartulli
2015-08-25 11:02 ` Antonio Quartulli
2015-08-25 11:02 ` [B.A.T.M.A.N.] [PATCH 09/15] batman-adv: Return EINVAL on invalid gw_bandwidth change Antonio Quartulli
2015-08-25 11:02 ` Antonio Quartulli
2015-08-25 11:02 ` [PATCH 10/15] batman-adv: Fix gw_bandwidth calculation on 32 bit systems Antonio Quartulli
2015-08-25 11:02 ` Antonio Quartulli [this message]
2015-08-25 11:02 ` [PATCH 11/15] batman-adv: convert bat_priv->tt.req_list to hlist Antonio Quartulli
2015-08-25 11:02 ` [B.A.T.M.A.N.] " Antonio Quartulli
2015-08-25 11:02 ` [PATCH 12/15] batman-adv: Annotate deleting functions with external lock via lockdep Antonio Quartulli
2015-08-25 11:02 ` [B.A.T.M.A.N.] " Antonio Quartulli
2015-08-25 11:02 ` [B.A.T.M.A.N.] [PATCH 13/15] batman-adv: Add lockdep_asserts for documented external locks Antonio Quartulli
2015-08-25 11:02 ` Antonio Quartulli
2015-08-25 11:02 ` [B.A.T.M.A.N.] [PATCH 14/15] batman-adv: Fix conditional statements indentation Antonio Quartulli
2015-08-25 11:02 ` Antonio Quartulli
2015-08-25 11:02 ` [PATCH 15/15] batman-adv: beautify supported routing algorithm list Antonio Quartulli
2015-08-25 11:02 ` [B.A.T.M.A.N.] " Antonio Quartulli
2015-08-25 23:21 ` [B.A.T.M.A.N.] pull request: batman-adv 20150825 David Miller
2015-08-25 23:21 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1440500559-28368-11-git-send-email-antonio@meshcoding.com \
--to=antonio@meshcoding.com \
--cc=b.a.t.m.a.n@lists.open-mesh.org \
--cc=davem@davemloft.net \
--cc=mareklindner@neomailbox.ch \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.