[patch] igbvf: integer overflow in igbvf_change_mtu()

[patch] igbvf: integer overflow in igbvf_change_mtu()

[Dan Carpenter]

The "new_mtu" is between 0 and INT_MAX but when we add ETH_HLEN and
ETH_FCS_LEN to it then it could overflow so "max_frame" is negative.  We
cap the upper bound of "max_frame" but we don't check for negative
values.  This leads to a static checker warning.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/net/ethernet/intel/igbvf/netdev.c b/drivers/net/ethernet/intel/igbvf/netdev.c
index 297af80..fa338e0 100644
--- a/drivers/net/ethernet/intel/igbvf/netdev.c
+++ b/drivers/net/ethernet/intel/igbvf/netdev.c
@@ -2350,7 +2350,7 @@ static struct net_device_stats *igbvf_get_stats(struct net_device *netdev)
 static int igbvf_change_mtu(struct net_device *netdev, int new_mtu)
 {
 	struct igbvf_adapter *adapter = netdev_priv(netdev);
-	int max_frame = new_mtu + ETH_HLEN + ETH_FCS_LEN;
+	unsigned int max_frame = new_mtu + ETH_HLEN + ETH_FCS_LEN;
 
 	if (new_mtu < 68 || new_mtu > INT_MAX - ETH_HLEN - ETH_FCS_LEN ||
 	    max_frame > MAX_JUMBO_FRAME_SIZE)

Re: [patch] igbvf: integer overflow in igbvf_change_mtu()

[walter harms]

Am 22.10.2015 11:10, schrieb Dan Carpenter:
> The "new_mtu" is between 0 and INT_MAX but when we add ETH_HLEN and
> ETH_FCS_LEN to it then it could overflow so "max_frame" is negative.  We
> cap the upper bound of "max_frame" but we don't check for negative
> values.  This leads to a static checker warning.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> diff --git a/drivers/net/ethernet/intel/igbvf/netdev.c b/drivers/net/ethernet/intel/igbvf/netdev.c
> index 297af80..fa338e0 100644
> --- a/drivers/net/ethernet/intel/igbvf/netdev.c
> +++ b/drivers/net/ethernet/intel/igbvf/netdev.c
> @@ -2350,7 +2350,7 @@ static struct net_device_stats *igbvf_get_stats(struct net_device *netdev)
>  static int igbvf_change_mtu(struct net_device *netdev, int new_mtu)
>  {
>  	struct igbvf_adapter *adapter = netdev_priv(netdev);
> -	int max_frame = new_mtu + ETH_HLEN + ETH_FCS_LEN;
> +	unsigned int max_frame = new_mtu + ETH_HLEN + ETH_FCS_LEN;
>  
>  	if (new_mtu < 68 || new_mtu > INT_MAX - ETH_HLEN - ETH_FCS_LEN ||
>  	    max_frame > MAX_JUMBO_FRAME_SIZE)

Perhaps it is better to use MAX_JUMBO_FRAME_SIZE.

max_frame = new_mtu + ETH_HLEN + ETH_FCS_LEN = MAX_JUMBO_FRAME_SIZE // max valid

new_mtu=MAX_JUMBO_FRAME_SIZE-ETH_HLEN-ETH_FCS_LEN

so you can avoid adding a "new" variable INT_MAX into this context.

Note: perhaps it would be better for the flow the check new_mtu before
calculating max_frame.

btw: can someone add a comment about the magic 68 ? is there something like a min_frame_size ?
(it is a real question i have no idea)

re,
 wh

> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: [patch] igbvf: integer overflow in igbvf_change_mtu()

[Dan Carpenter]

Yeah, there is an integer overflow before we check but so far as I can
see it is harmless.  The kernel is full of harmless integer overflows.
I sort of feel like this is the simplest way to write it and the other
ways feel over engineered and unweildy.

Care to propose a patch, though?

regards,
dan carpenter

Re: [patch] igbvf: integer overflow in igbvf_change_mtu()

[Dan Carpenter]

Oh...  Hm.  I was a bit confused by what Walter was saying.  But there
already is an integer overflow check here so it can't actually be
negative...  I added it a couple years ago.

Forget about this patch.  Sorry.

regards,
dan carpenter