From mboxrd@z Thu Jan 1 00:00:00 1970 From: Joe Perches Subject: Re: [PATCH] Change judgment len position Date: Wed, 24 Oct 2018 09:23:19 -0700 Message-ID: <60f08664db5751949ddfb34666bfda77f99682f1.camel@perches.com> References: <20181024154729.5312-1-wanghaifine@gmail.com> <20181024155739.GA25314@1wt.eu> Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit Cc: edumazet@google.com, davem@davemloft.net, kuznet@ms2.inr.ac.ru, yoshfuji@linux-ipv6.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org To: Willy Tarreau , Wang Hai Return-path: In-Reply-To: <20181024155739.GA25314@1wt.eu> Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org On Wed, 2018-10-24 at 17:57 +0200, Willy Tarreau wrote: > On Wed, Oct 24, 2018 at 11:47:29PM +0800, Wang Hai wrote: > > To determine whether len is less than zero, it should be put before > > the function min_t, because the return value of min_t is not likely > > to be less than zero. > > Huh? First, the <0 test is made on "len", not "min_t", so it still > is signed. Second, you're in fact completely removing the test here, > look : > > > struct net *net = sock_net(sk); > > int val, len; > > > > + len = min_t(unsigned int, len, sizeof(int)); > > + > > len is used uninitialized here, so the result is undefined. > > > if (get_user(len, optlen)) > > return -EFAULT; > > Then it gets overridden by get_user() > > > - len = min_t(unsigned int, len, sizeof(int)); > > - > > Then its positive values are not bounded anymore since you moved the test. Not quite. Problem here is negative values are tested as large positive values and limited to 4 ie: ien len = -1, len = min_t(unsigned int, len, sizeof(int)); len is now 4 > > if (len < 0) > > return -EINVAL; So this test len < 0 could be moved up above min_t > Then only negative values are dropped. So unless I'm missing something > obvious, you're just allowing len to be as large as 2GB-1 based on the > user's fed optlen. > > Am I wrong ? > > Willychee