Message ID | 1405697638-23767-1-git-send-email-andrey.krieger.utkin@gmail.com |
---|---|
State | Changes Requested, archived |
Delegated to: | David Miller |
Headers | show |
Hello, On Fri, 18 Jul 2014, Andrey Utkin wrote: > Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=80601 > Reported-by: David Binderman <dcb314@hotmail.com> > Signed-off-by: Andrey Utkin <andrey.krieger.utkin@gmail.com> > --- > net/netfilter/ipvs/ip_vs_ctl.c | 2 -- > 1 file changed, 2 deletions(-) > > diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c > index 581a658..4ed7b59 100644 > --- a/net/netfilter/ipvs/ip_vs_ctl.c > +++ b/net/netfilter/ipvs/ip_vs_ctl.c > @@ -2338,8 +2338,6 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) > > if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_SET_MAX) > return -EINVAL; > - if (len < 0 || len > MAX_ARG_LEN) > - return -EINVAL; The above check ensures the set_arglen[] value (some struct size) does not exceed the arg[MAX_ARG_LEN] space. You can check commit 04bcef2a83f40c ("ipvs: Add boundary check on ioctl arguments") for more info. Still, check can be reduced to if (len > MAX_ARG_LEN)... Also, len is unsigned, so len < 0 is useless even for this reason. > if (len != set_arglen[SET_CMDID(cmd)]) { > pr_err("set_ctl: len %u != %u\n", > len, set_arglen[SET_CMDID(cmd)]); > -- > 1.8.5.5 Regards -- Julian Anastasov <ja@ssi.bg> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
2014-07-18 23:48 GMT+03:00 Julian Anastasov <ja@ssi.bg>: > The above check ensures the set_arglen[] value (some > struct size) does not exceed the arg[MAX_ARG_LEN] space. You can check > commit 04bcef2a83f40c ("ipvs: Add boundary check on ioctl arguments") > for more info. Thanks for info. What about static check at compilation time? #if (DAEMON_ARG_LEN > MAX_ARG_LEN) \ || (SERVICE_ARG_LEN > MAX_ARG_LEN) \ || (SVCDEST_ARG_LEN > MAX_ARG_LEN) #error MAX_ARG_LEN exceeded in set_arglen table #endif
2014-07-19 0:06 GMT+03:00 Andrey Utkin <andrey.krieger.utkin@gmail.com>: > What about static check at compilation time? > > #if (DAEMON_ARG_LEN > MAX_ARG_LEN) \ > || (SERVICE_ARG_LEN > MAX_ARG_LEN) \ > || (SVCDEST_ARG_LEN > MAX_ARG_LEN) > #error MAX_ARG_LEN exceeded in set_arglen table > #endif This approach doesn't work, looks because sizeof() values are not calculated at preprocessing stage.
2014-07-20 1:59 GMT+03:00 Andrey Utkin <andrey.krieger.utkin@gmail.com>: > This approach doesn't work, looks because sizeof() values are not > calculated at preprocessing stage. What about adding equivalent BUG_ON() statement to __init ip_vs_register_nl_ioctl(), which "registers" do_ip_vs_set_ctl() callback?
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c index 581a658..4ed7b59 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c @@ -2338,8 +2338,6 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_SET_MAX) return -EINVAL; - if (len < 0 || len > MAX_ARG_LEN) - return -EINVAL; if (len != set_arglen[SET_CMDID(cmd)]) { pr_err("set_ctl: len %u != %u\n", len, set_arglen[SET_CMDID(cmd)]);
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=80601 Reported-by: David Binderman <dcb314@hotmail.com> Signed-off-by: Andrey Utkin <andrey.krieger.utkin@gmail.com> --- net/netfilter/ipvs/ip_vs_ctl.c | 2 -- 1 file changed, 2 deletions(-)