Re: [PATCH] net: sched: Fix memory exposure from short TCA_U32_SEL

From: Kees Cook
Date: Mon Aug 27 2018 - 10:08:29 EST

On Mon, Aug 27, 2018 at 4:46 AM, Jamal Hadi Salim <jhs@xxxxxxxxxxxx> wrote:
> On 2018-08-26 5:56 p.m., Kees Cook wrote:
>> On Sun, Aug 26, 2018 at 10:30 AM, Jamal Hadi Salim <jhs@xxxxxxxxxxxx>
>> wrote:
>>> We should add an nla_policy later.
>> What's the right way to do that for cases like this?
> Meant something like attached which you alluded-to in your comments
> would give an upper bound (Max allowed keys is 128).

The problem is that policy doesn't parse the contents: "nkeys"
determines the size, so we have to both validate minimum size (to be
sure the location of "nkeys" is valid) and check that the size is at
least nkeys * struct long. I don't think there is a way to do this
with the existing policy language.


Kees Cook
Pixel Security