Re: [PATCH v4] netfilter: conntrack: fix integer overflow in expectation timeout

Linux Netfilter development
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: "Àlex Fernández" <tomaquet18@protonmail.com>
Cc: pablo@netfilter.org, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH v4] netfilter: conntrack: fix integer overflow in expectation timeout
Date: Tue, 19 May 2026 21:38:12 +0200	[thread overview]
Message-ID: <agy8JBZYvx54GYfL@strlen.de> (raw)
In-Reply-To: <20260504112300.715192-1-tomaquet18@protonmail.com>

Àlex Fernández <tomaquet18@protonmail.com> wrote:
>  		x->timeout.expires = jiffies +
> -			ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ;
> +			(u64)ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ;

https://sashiko.dev/#/patchset/20260504112300.715192-1-tomaquet18%40protonmail.com

Does this fully resolve the overflow on 32-bit architectures?
The expires field in struct timer_list is an unsigned long, which is 32 bits
wide on 32-bit systems. Assigning the 64-bit multiplication result directly
to expires will silently truncate it back to 32 bits, causing the same
wraparound this patch intends to fix.
Additionally, does providing a timeout delta larger than INT_MAX break the
kernel's signed timer comparisons?
If the delta exceeds INT_MAX, macros like time_after() will evaluate the
timer as being in the past, causing it to expire immediately.
Should the computed timeout delta be explicitly clamped to a safe maximum
(such as INT_MAX or MAX_JIFFY_OFFSET), similar to the logic used for
standard conntrack timeouts?

next prev parent reply	other threads:[~2026-05-19 19:38 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-04 11:23 [PATCH v4] netfilter: conntrack: fix integer overflow in expectation timeout Àlex Fernández
2026-05-19 19:38 ` Florian Westphal [this message]
2026-05-19 19:55   ` Pablo Neira Ayuso
2026-05-19 19:57     ` Pablo Neira Ayuso
2026-05-19 20:00       ` Florian Westphal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=agy8JBZYvx54GYfL@strlen.de \
    --to=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=tomaquet18@protonmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox