Re: [PATCH net] xfrm: fix integer overflow in xfrm_replay_state_esn_len()

[Simon Horman]

On Tue, Jan 21, 2025 at 02:16:01PM +0300, Dan Carpenter wrote:
> The problem is that "replay_esn->bmp_len" comes from the user and it's
> a u32.  The xfrm_replay_state_esn_len() function also returns a u32.
> So if we choose a ->bmp_len which very high then the total will be
> more than UINT_MAX and value will be truncated when we return.  The
> returned value will be smaller than expected causing problems in the
> caller.
> 
> To fix this:
> 1) Use size_add() and size_mul().  This change is necessary for 32bit
>    systems.
> 2) Change the type of xfrm_replay_state_esn_len() and related variables
>    from u32 to size_t.
> 3) Remove the casts to (int).  The size should never be negative.
>    Generally, values which come from size_add/mul() should stay as type
>    size_t and not be truncated to user fewer than all the bytes in a
>    unsigned long.
> 
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 9736acf395d3 ("xfrm: Add basic infrastructure to support IPsec extended sequence numbers")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> The one caller that I didn't modify was xfrm_sa_len().  That's a bit
> complicated and also I'm kind of hoping that we don't handle user
> controlled data in that function?  The place where we definitely are
> handling user data is in xfrm_alloc_replay_state_esn() and this patch
> fixes that.

Yes, that is a bit "complex".

FWIIW, my opinion is that your patch is correct and it improves things -
even if the end result may still have imperfections. And for that reason
I'm in favour of it being accepted.

Reviewed-by: Simon Horman <horms@xxxxxxxxxx>