From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jeremy Sowden <jeremy@azazel.net>
Cc: Netfilter Devel <netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH libmnl] nlmsg, attr: fix false positives when validating buffer sizes
Date: Mon, 11 Sep 2023 21:24:05 +0200 [thread overview]
Message-ID: <ZP9pVfzfv7SYYUM9@calendula> (raw)
In-Reply-To: <ZP9oyPItYTM2EVuw@calendula>
On Mon, Sep 11, 2023 at 09:21:50PM +0200, Pablo Neira Ayuso wrote:
> On Sun, Sep 10, 2023 at 09:30:18PM +0100, Jeremy Sowden wrote:
> > `mnl_nlmsg_ok` and `mnl_attr_ok` both expect a signed buffer length
> > value, `len`, against which to compare the size of the object expected
> > to fit into the buffer, because they are intended to validate the length
> > and it may be negative in the case of malformed messages. Comparing
> > this signed value against unsigned operands leads to compiler warnings,
> > so the unsigned operands are cast to `int`. Comparing `len` to the size
> > of the structure is fine, because the structures are only a few bytes in
> > size. Comparing it to the length fields of `struct nlmsg` and `struct
> > nlattr`, however, is problematic, since these fields may hold values
> > greater than `INT_MAX`, in which case the casts will yield negative
> > values and result in false positives.
> >
> > Instead, assign `len` to an unsigned local variable, check for negative
> > values first, then use the unsigned local for the other comparisons, and
> > remove the casts.
> >
> > Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1691
> > Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
> > ---
> > src/attr.c | 9 +++++++--
> > src/nlmsg.c | 9 +++++++--
> > 2 files changed, 14 insertions(+), 4 deletions(-)
> >
> > diff --git a/src/attr.c b/src/attr.c
> > index bc39df4199e7..48e95019d5e8 100644
> > --- a/src/attr.c
> > +++ b/src/attr.c
> > @@ -97,9 +97,14 @@ EXPORT_SYMBOL void *mnl_attr_get_payload(const struct nlattr *attr)
> > */
> > EXPORT_SYMBOL bool mnl_attr_ok(const struct nlattr *attr, int len)
>
> Maybe turn this into uint32_t ?
Actually, attribute length field is 16 bits long, so it can never
happen that nla_len will underflow.
next prev parent reply other threads:[~2023-09-11 21:40 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-10 20:30 [PATCH libmnl] nlmsg, attr: fix false positives when validating buffer sizes Jeremy Sowden
2023-09-11 19:21 ` Pablo Neira Ayuso
2023-09-11 19:24 ` Pablo Neira Ayuso [this message]
2023-09-11 20:30 ` Jeremy Sowden
2023-09-11 21:17 ` Pablo Neira Ayuso
2023-10-14 16:59 ` Jeremy Sowden
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZP9pVfzfv7SYYUM9@calendula \
--to=pablo@netfilter.org \
--cc=jeremy@azazel.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.