From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf] netfilter: conntrack: avoid integer overflow when resizing
Date: Sun, 1 May 2016 21:48:34 +0200 [thread overview]
Message-ID: <20160501194834.GA19580@breakpoint.cc> (raw)
In-Reply-To: <20160429095902.GA15406@salvia>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
[ Sorry for late reply ]
> On Sun, Apr 24, 2016 at 01:18:21AM +0200, Florian Westphal wrote:
> > Can overflow so we might allocate very small table when bucket count is
> > high on a 32bit platform.
> >
> > Note: resize is only possible from init_netns.
> >
> > Signed-off-by: Florian Westphal <fw@strlen.de>
> > ---
> > net/netfilter/nf_conntrack_core.c | 7 +++++++
> > 1 file changed, 7 insertions(+)
> >
> > diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
> > index 2bbb962..11daca5 100644
> > --- a/net/netfilter/nf_conntrack_core.c
> > +++ b/net/netfilter/nf_conntrack_core.c
> > @@ -1563,8 +1563,15 @@ void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls)
> > unsigned int nr_slots, i;
> > size_t sz;
> >
> > + if (*sizep > (UINT_MAX / sizeof(struct hlist_nulls_head)))
> > + return NULL;
>
> *sizep gets initially set to the number of buckets.
Yes.
> > BUILD_BUG_ON(sizeof(struct hlist_nulls_head) != sizeof(struct hlist_head));
> > nr_slots = *sizep = roundup(*sizep, PAGE_SIZE / sizeof(struct hlist_nulls_head));
>
> Then, this value is divided by the number of hlist heads that fit into
> a page.
No, its rounded up to a multiple of PAGE/hlist heads, so for very large
values of *sizep nr_slots would be 0.
> > + if (nr_slots > (UINT_MAX / sizeof(struct hlist_nulls_head)))
> > + return NULL;
Alternative would be to change this to:
if (nr_slots == 0 || nr_slots > (UINT_MAX / sizeof(struct hlist_nulls_head)))
return NULL;
Or, add this check:
if (nr_slots < roundup(1, PAGE_SIZE / sizeof(struct hlist_nulls_head))
nr_slots = roundup(1, PAGE_SIZE / sizeof(struct hlist_nulls_head)))
I wasn't sure if its better to fail or if we should just pretend a sane
value was given.
Let me know what you think and I'll submit a v2.
[ Its not a big deal, but eventually I'd like to make the sysctl
writeable so users can just increase that, no need to use this obscure
module parameter/sysfs param ... ]
Cheers,
Florian
next prev parent reply other threads:[~2016-05-01 19:48 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-23 23:18 [PATCH nf] netfilter: conntrack: avoid integer overflow when resizing Florian Westphal
2016-04-29 9:59 ` Pablo Neira Ayuso
2016-05-01 19:48 ` Florian Westphal [this message]
2016-05-03 22:45 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160501194834.GA19580@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).