From: Simon Horman <horms@kernel.org>
To: Eric Dumazet <edumazet@google.com>
Cc: "David S . Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
netdev@vger.kernel.org, eric.dumazet@gmail.com,
David Laight <David.Laight@aculab.com>,
Kyle Zeng <zengyhkyle@gmail.com>
Subject: Re: [PATCH net] igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU
Date: Tue, 5 Sep 2023 13:06:53 +0200 [thread overview]
Message-ID: <20230905110653.GD2146@kernel.org> (raw)
In-Reply-To: <20230905042338.1345307-1-edumazet@google.com>
On Tue, Sep 05, 2023 at 04:23:38AM +0000, Eric Dumazet wrote:
> This is a follow up of commit 915d975b2ffa ("net: deal with integer
> overflows in kmalloc_reserve()") based on David Laight feedback.
>
> Back in 2010, I failed to realize malicious users could set dev->mtu
> to arbitrary values. This mtu has been since limited to 0x7fffffff but
> regardless of how big dev->mtu is, it makes no sense for igmpv3_newpack()
> to allocate more than IP_MAX_MTU and risk various skb fields overflows.
>
> Fixes: 57e1ab6eaddc ("igmp: refine skb allocations")
> Link: https://lore.kernel.org/netdev/d273628df80f45428e739274ab9ecb72@AcuMS.aculab.com/
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: David Laight <David.Laight@ACULAB.COM>
> Cc: Kyle Zeng <zengyhkyle@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
next prev parent reply other threads:[~2023-09-05 11:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-05 4:23 [PATCH net] igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU Eric Dumazet
2023-09-05 11:06 ` Simon Horman [this message]
2023-09-05 18:01 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230905110653.GD2146@kernel.org \
--to=horms@kernel.org \
--cc=David.Laight@aculab.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=zengyhkyle@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.