From: Jason Baron <jbaron@akamai.com>
To: netdev@vger.kernel.org
Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, horms@kernel.org, kuniyu@amazon.com
Subject: [PATCH net-next v2 0/3] Fix netlink rcvbuf wraparound
Date: Wed, 18 Jun 2025 19:13:20 -0400 [thread overview]
Message-ID: <cover.1750285100.git.jbaron@akamai.com> (raw)
The sk->sk_rmem_alloc field of a netlink socket can wraparound as a
signed int when comparing to sk->sk_rcvbuf, when sk->sk_rcvbuf approaches
INT_MAX. This can be reproduced by forcing sk->sk_rcvbuf to INT_MAX and
this can exhaust all of memory.
I've added a sock_rcvbuf_has_space() helper function to generalize the
fix as a similar approach has already been implemented for udp sockets.
v2:
-add Fixes:
-add sock_rcvbuf_has_space() helper
-use helper functions for udp netlink
-remove excessive parentheses
Jason Baron (3):
net: add sock_rcvbuf_has_space() helper
udp: use __sock_rcvbuf_has_space() helper
netlink: Fix wraparound of sk->sk_rmem_alloc
include/net/sock.h | 38 ++++++++++++++++++++++++++++++++++++++
net/ipv4/udp.c | 13 ++-----------
net/netlink/af_netlink.c | 35 +++++++++++++++++++++--------------
3 files changed, 61 insertions(+), 25 deletions(-)
--
2.25.1
next reply other threads:[~2025-06-19 0:19 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-18 23:13 Jason Baron [this message]
2025-06-18 23:13 ` [PATCH net-next v2 1/3] net: add sock_rcvbuf_has_space() helper Jason Baron
2025-06-18 23:13 ` [PATCH net-next v2 2/3] udp: use __sock_rcvbuf_has_space() helper Jason Baron
2025-06-18 23:13 ` [PATCH net-next v2 3/3] netlink: Fix wraparound of sk->sk_rmem_alloc Jason Baron
2025-06-19 6:13 ` Kuniyuki Iwashima
2025-06-23 23:35 ` Jakub Kicinski
2025-06-24 7:55 ` Paolo Abeni
2025-06-24 13:57 ` Jason Baron
2025-06-24 14:11 ` Jakub Kicinski
2025-06-24 17:08 ` Kuniyuki Iwashima
2025-06-24 22:03 ` Jakub Kicinski
2025-06-25 16:56 ` Kuniyuki Iwashima
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1750285100.git.jbaron@akamai.com \
--to=jbaron@akamai.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.