All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jakub Kicinski <kuba@kernel.org>
To: "luwei (O)" <luwei32@huawei.com>
Cc: Networking <netdev@vger.kernel.org>
Subject: Re: [Question] integer overflow in function __qdisc_calculate_pkt_len()
Date: Mon, 5 Jun 2023 16:19:22 -0700	[thread overview]
Message-ID: <20230605161922.5e417434@kernel.org> (raw)
In-Reply-To: <7723cc01-57bf-2b64-7f78-98a0e6508a2e@huawei.com>

On Fri, 2 Jun 2023 10:50:44 +0800 luwei (O) wrote:
>      I found an integer overflow issue in function 
> __qdisc_calculate_pkt_len(), the root cause is overhead and cell_align 
> in stab is not checked.
> 
> For example, if overhead is set to -2147483559 and cell_align is set to 
> -32767 (tc tool limit it to 0 and -1, but other values can be set with 
> netlink api),
> 
> the integer overflow occurs:
> 
>   568 void __qdisc_calculate_pkt_len(struct sk_buff *skb,
>   569                                const struct qdisc_size_table *stab)
>   570 {
>   571         int pkt_len, slot;
>   572
>   573         pkt_len = skb->len + stab->szopts.overhead; (1)
>   574         if (unlikely(!stab->szopts.tsize))
>   575                 goto out;
>   576
>   577         slot = pkt_len + stab->szopts.cell_align;   (2)
>   578         if (unlikely(slot < 0))
>   579                 slot = 0;
> 
> if skb->len is 66, slot will be 66 + (-2147483559) + (-32767) = 
> 2147451036, and pkt_len will be 2147451040 finally.  I think the value 
> of overhead and cell_align
> 
> should be limited, but not sure to which values they should be limited, 
> can any one give me some suggestions?

on a quick look limiting the cell_align to S16_MIN at the netlink level
(NLA_POLICY_MIN()) seems reasonable, feel free to send a patch.

  reply	other threads:[~2023-06-05 23:19 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-02  2:50 [Question] integer overflow in function __qdisc_calculate_pkt_len() luwei (O)
2023-06-05 23:19 ` Jakub Kicinski [this message]
2023-06-06 12:54   ` luwei (O)
2023-06-06 15:49     ` Jakub Kicinski
2023-06-25  2:19       ` luwei (O)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230605161922.5e417434@kernel.org \
    --to=kuba@kernel.org \
    --cc=luwei32@huawei.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.