Re: [PATCH net] xfrm: fix integer overflow in xfrm_replay_state_esn_len()
From: Dan Carpenter
Date: Wed Jan 22 2025 - 08:51:15 EST
On Wed, Jan 22, 2025 at 04:16:48PM +0300, Dan Carpenter wrote:
> On Wed, Jan 22, 2025 at 12:39:36PM +0000, Simon Horman wrote:
> > > The one caller that I didn't modify was xfrm_sa_len(). That's a bit
> > > complicated and also I'm kind of hoping that we don't handle user
> > > controlled data in that function? The place where we definitely are
> > > handling user data is in xfrm_alloc_replay_state_esn() and this patch
> > > fixes that.
> >
> > Yes, that is a bit "complex".
> >
>
> I don't have a reason to suspect xfrm_sa_len() but if we were to write
> a paranoid version of it then I've written that draft below. I stole
> Herbert's xfrm_kblen2klen() function[1]. Also the nlmsg_new() function
> would need to be updated as well.
>
> https://lore.kernel.org/all/Z2KZC71JZ0QnrhfU@xxxxxxxxxxxxxxxxxxx/
>
> regards,
> dan carpenter
>
> diff --git a/include/net/netlink.h b/include/net/netlink.h
> index e015ffbed819..ca7a8152e6d4 100644
> --- a/include/net/netlink.h
> +++ b/include/net/netlink.h
> @@ -1015,6 +1015,8 @@ static inline struct nlmsghdr *nlmsg_put_answer(struct sk_buff *skb,
> */
> static inline struct sk_buff *nlmsg_new(size_t payload, gfp_t flags)
> {
> + if (payload > INT_MAX)
> + return NULL;
> return alloc_skb(nlmsg_total_size(payload), flags);
> }
Actually, this chunk is necessary. Let me sent that by itself.
regards,
dan carpenter