Re: [PATCH -next] tcp: fix a signed-integer-overflow bug in tcp_add_backlog()
From: Eric Dumazet
Date: Wed Oct 12 2022 - 08:32:10 EST
On Wed, Oct 12, 2022 at 2:35 AM Lu Wei <luwei32@xxxxxxxxxx> wrote:
>
> The type of sk_rcvbuf and sk_sndbuf in struct sock is int, and
> in tcp_add_backlog(), the variable limit is caculated by adding
> sk_rcvbuf, sk_sndbuf and 64 * 1024, it may exceed the max value
> of u32 and be truncated. So change it to u64 to avoid a potential
> signed-integer-overflow, which leads to opposite result is returned
> in the following function.
>
> Signed-off-by: Lu Wei <luwei32@xxxxxxxxxx>
You need to add a Fixes: tag, please.
> ---
> include/net/sock.h | 4 ++--
> net/ipv4/tcp_ipv4.c | 6 ++++--
> 2 files changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/include/net/sock.h b/include/net/sock.h
> index 08038a385ef2..fc0fa29d8865 100644
> --- a/include/net/sock.h
> +++ b/include/net/sock.h
> @@ -1069,7 +1069,7 @@ static inline void __sk_add_backlog(struct sock *sk, struct sk_buff *skb)
> * Do not take into account this skb truesize,
> * to allow even a single big packet to come.
> */
> -static inline bool sk_rcvqueues_full(const struct sock *sk, unsigned int limit)
> +static inline bool sk_rcvqueues_full(const struct sock *sk, u64 limit)
> {
> unsigned int qsize = sk->sk_backlog.len + atomic_read(&sk->sk_rmem_alloc);
qsize would then overflow :/
I would rather limit sk_rcvbuf and sk_sndbuf to 0x7fff0000, instead of
0x7ffffffe
If really someone is using 2GB for both send and receive queues, I
doubt removing 64KB will be a problem.