Re: [PATCH net] xfrm: fix integer overflow in xfrm_replay_state_esn_len()
From: Simon Horman
Date: Wed Jan 22 2025 - 07:39:50 EST
On Tue, Jan 21, 2025 at 02:16:01PM +0300, Dan Carpenter wrote:
> The problem is that "replay_esn->bmp_len" comes from the user and it's
> a u32. The xfrm_replay_state_esn_len() function also returns a u32.
> So if we choose a ->bmp_len which very high then the total will be
> more than UINT_MAX and value will be truncated when we return. The
> returned value will be smaller than expected causing problems in the
> caller.
>
> To fix this:
> 1) Use size_add() and size_mul(). This change is necessary for 32bit
> systems.
> 2) Change the type of xfrm_replay_state_esn_len() and related variables
> from u32 to size_t.
> 3) Remove the casts to (int). The size should never be negative.
> Generally, values which come from size_add/mul() should stay as type
> size_t and not be truncated to user fewer than all the bytes in a
> unsigned long.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 9736acf395d3 ("xfrm: Add basic infrastructure to support IPsec extended sequence numbers")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> The one caller that I didn't modify was xfrm_sa_len(). That's a bit
> complicated and also I'm kind of hoping that we don't handle user
> controlled data in that function? The place where we definitely are
> handling user data is in xfrm_alloc_replay_state_esn() and this patch
> fixes that.
Yes, that is a bit "complex".
FWIIW, my opinion is that your patch is correct and it improves things -
even if the end result may still have imperfections. And for that reason
I'm in favour of it being accepted.
Reviewed-by: Simon Horman <horms@xxxxxxxxxx>