From: Pablo Neira Ayuso <pablo@netfilter.org>
To: joao@overdrivepizza.com
Cc: netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
rkannoth@marvell.com, wojciech.drewek@intel.com,
steen.hegenlund@microhip.com, keescook@chromium.org,
Joao Moreira <joao.moreira@intel.com>
Subject: Re: [PATCH 2/2] Ensure num_actions is not a negative
Date: Fri, 1 Sep 2023 10:58:39 +0200 [thread overview]
Message-ID: <ZPGnv40EYt/lnOVj@calendula> (raw)
In-Reply-To: <20230901010437.126631-3-joao@overdrivepizza.com>
On Thu, Aug 31, 2023 at 06:04:37PM -0700, joao@overdrivepizza.com wrote:
> From: Joao Moreira <joao.moreira@intel.com>
>
> In nft_flow_rule_create function, num_actions is a signed integer. Yet,
> it is processed within a loop which increments its value. To prevent an
> overflow from occurring, check if num_actions is not only equal to 0,
> but also not negative.
>
> After checking with maintainers, it was mentioned that front-end will
> cap the num_actions vlaue and that it is not possible to reach such
> condition for an overflow. Yet, for correctness, it is still better to
> fix this.
>
> Signed-off-by: Joao Moreira <joao.moreira@intel.com>
> ---
> net/netfilter/nf_tables_offload.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c
> index 12ab78fa5d84..20dbc95de895 100644
> --- a/net/netfilter/nf_tables_offload.c
> +++ b/net/netfilter/nf_tables_offload.c
> @@ -102,7 +102,7 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net,
> expr = nft_expr_next(expr);
> }
>
> - if (num_actions == 0)
> + if (num_actions <= 0)
> return ERR_PTR(-EOPNOTSUPP);
Better turn num_actions into unsigned int I'd suggest.
Next hypothetical problem would be an overflow in the number of
actions, you could check for UINT_MAX if you like here to report
ENOMEM.
Thanks.
> flow = nft_flow_rule_alloc(num_actions);
> --
> 2.41.0
>
next prev parent reply other threads:[~2023-09-01 8:58 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-01 1:04 [PATCH 0/2] Prevent potential write out of bounds joao
2023-09-01 1:04 ` [PATCH 1/2] Make loop indexes unsigned joao
2023-09-01 1:04 ` [PATCH 2/2] Ensure num_actions is not a negative joao
2023-09-01 8:58 ` Pablo Neira Ayuso [this message]
2023-09-01 1:28 ` [PATCH 0/2] Prevent potential write out of bounds Jakub Kicinski
2023-09-01 5:46 ` Joao Moreira
2023-09-01 8:15 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZPGnv40EYt/lnOVj@calendula \
--to=pablo@netfilter.org \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=joao.moreira@intel.com \
--cc=joao@overdrivepizza.com \
--cc=kadlec@netfilter.org \
--cc=keescook@chromium.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=rkannoth@marvell.com \
--cc=steen.hegenlund@microhip.com \
--cc=wojciech.drewek@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.