From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: "Àlex Fernández" <tomaquet18@protonmail.com>,
netfilter-devel@vger.kernel.org
Subject: Re: [PATCH v4] netfilter: conntrack: fix integer overflow in expectation timeout
Date: Tue, 19 May 2026 21:57:09 +0200 [thread overview]
Message-ID: <agzAlQb36seb2Rhr@chamomile> (raw)
In-Reply-To: <agzAFhNpiYNcBeZ5@chamomile>
On Tue, May 19, 2026 at 09:55:06PM +0200, Pablo Neira Ayuso wrote:
> On Tue, May 19, 2026 at 09:38:12PM +0200, Florian Westphal wrote:
> > Àlex Fernández <tomaquet18@protonmail.com> wrote:
> > > x->timeout.expires = jiffies +
> > > - ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ;
> > > + (u64)ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ;
>
> Yes, for correctness, fixing this is fine but...
>
> > https://sashiko.dev/#/patchset/20260504112300.715192-1-tomaquet18%40protonmail.com
> >
> > Does this fully resolve the overflow on 32-bit architectures?
> > The expires field in struct timer_list is an unsigned long, which is 32 bits
> > wide on 32-bit systems. Assigning the 64-bit multiplication result directly
> > to expires will silently truncate it back to 32 bits, causing the same
> > wraparound this patch intends to fix.
> > Additionally, does providing a timeout delta larger than INT_MAX break the
> > kernel's signed timer comparisons?
> > If the delta exceeds INT_MAX, macros like time_after() will evaluate the
> > timer as being in the past, causing it to expire immediately.
>
> the submitter claims you can create expectations that expires
> inmediately, but what is the issue with this?
>
> > Should the computed timeout delta be explicitly clamped to a safe maximum
> > (such as INT_MAX or MAX_JIFFY_OFFSET), similar to the logic used for
> > standard conntrack timeouts?
>
> I think this is just a cleanup / nf-next material?
But this can also go through nf.git for correctness, we can just
describe in the PR the effect of this bug.
next prev parent reply other threads:[~2026-05-19 19:57 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-04 11:23 [PATCH v4] netfilter: conntrack: fix integer overflow in expectation timeout Àlex Fernández
2026-05-19 19:38 ` Florian Westphal
2026-05-19 19:55 ` Pablo Neira Ayuso
2026-05-19 19:57 ` Pablo Neira Ayuso [this message]
2026-05-19 20:00 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agzAlQb36seb2Rhr@chamomile \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=tomaquet18@protonmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox