From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: "Àlex Fernández" <tomaquet18@protonmail.com>,
netfilter-devel@vger.kernel.org
Subject: Re: [PATCH v4] netfilter: conntrack: fix integer overflow in expectation timeout
Date: Tue, 19 May 2026 21:57:09 +0200 [thread overview]
Message-ID: <agzAlQb36seb2Rhr@chamomile> (raw)
In-Reply-To: <agzAFhNpiYNcBeZ5@chamomile>
On Tue, May 19, 2026 at 09:55:06PM +0200, Pablo Neira Ayuso wrote:
> On Tue, May 19, 2026 at 09:38:12PM +0200, Florian Westphal wrote:
> > Àlex Fernández <tomaquet18@protonmail.com> wrote:
> > > x->timeout.expires = jiffies +
> > > - ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ;
> > > + (u64)ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ;
>
> Yes, for correctness, fixing this is fine but...
>
> > https://sashiko.dev/#/patchset/20260504112300.715192-1-tomaquet18%40protonmail.com
> >
> > Does this fully resolve the overflow on 32-bit architectures?
> > The expires field in struct timer_list is an unsigned long, which is 32 bits
> > wide on 32-bit systems. Assigning the 64-bit multiplication result directly
> > to expires will silently truncate it back to 32 bits, causing the same
> > wraparound this patch intends to fix.
> > Additionally, does providing a timeout delta larger than INT_MAX break the
> > kernel's signed timer comparisons?
> > If the delta exceeds INT_MAX, macros like time_after() will evaluate the
> > timer as being in the past, causing it to expire immediately.
>
> the submitter claims you can create expectations that expires
> inmediately, but what is the issue with this?
>
> > Should the computed timeout delta be explicitly clamped to a safe maximum
> > (such as INT_MAX or MAX_JIFFY_OFFSET), similar to the logic used for
> > standard conntrack timeouts?
>
> I think this is just a cleanup / nf-next material?
But this can also go through nf.git for correctness, we can just
describe in the PR the effect of this bug.
next prev parent reply other threads:[~2026-05-19 19:57 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-04 11:23 [PATCH v4] netfilter: conntrack: fix integer overflow in expectation timeout Àlex Fernández
2026-05-19 19:38 ` Florian Westphal
2026-05-19 19:55 ` Pablo Neira Ayuso
2026-05-19 19:57 ` Pablo Neira Ayuso [this message]
2026-05-19 20:00 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agzAlQb36seb2Rhr@chamomile \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=tomaquet18@protonmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.