From patchwork Wed Apr 18 21:35:33 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Aring <aring@mojatatu.com>
X-Patchwork-Id: 900401
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=mojatatu.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=mojatatu-com.20150623.gappssmtp.com
	header.i=@mojatatu-com.20150623.gappssmtp.com
	header.b="Y0FiT4os"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 40RFmh3rkhz9s1X
	for <patchwork-incoming-netdev@ozlabs.org>;
	Thu, 19 Apr 2018 07:36:20 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752739AbeDRVgT (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Wed, 18 Apr 2018 17:36:19 -0400
Received: from mail-it0-f67.google.com ([209.85.214.67]:34185 "EHLO
	mail-it0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750981AbeDRVgH (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 18 Apr 2018 17:36:07 -0400
Received: by mail-it0-f67.google.com with SMTP id t192-v6so18778924itc.1
	for <netdev@vger.kernel.org>; Wed, 18 Apr 2018 14:36:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=mojatatu-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=4IPbmjdPZwuXYP/UsIGbzZn8kBaJIa+0M+3VLpAkiVI=;
	b=Y0FiT4oskgvm9BhZnM/ZlMnb4t6L7f2kegA0ki00IaA/52KRuX7uF2NSerrwmMvH1w
	UgwSqgxAMKaJ3lmSwsX7DsLz7LOYnI4MxMSufQcNolxUQSfdBuIniqOZXk4hsY7Oe/HQ
	y9er/UKkrWJSmNhY21ZXISzkUTYv0yM2j81yhCe+rSjaZf20dawW3ZWU46obrZ71G8DA
	IsB0LiLmEOiUE7NGbQ73cncqLryvlnWP5qIptqNDUW3XxvD9nNZKBwXdeXb3BowaKmFJ
	B0ijLvmvaYiuupyjf61qFAk2a6CYmV6DK/MIXEu6nxa1HfVl6nu/RfwWHTg9lDS0ytPx
	tnTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=4IPbmjdPZwuXYP/UsIGbzZn8kBaJIa+0M+3VLpAkiVI=;
	b=ijCCuFF2xANuTBy5cp9IOCpa1C9vD1JUtm3TmQNW1pguwE3I1nvnidVzEl/51hLgrp
	5hZmrH2Ig3CSNkOECOOeWPl95MvBmut7ZqBb7ZtmDnC6tnf2UiTS1Rh40KdZjG9JqImT
	lk7e8YSNY+XJUf0QBouvYK2A5OmyFPW5tjl1ZMoJI62hlwu8+YRCfVFqvhqy3XhoCn+2
	uaKTZ1d256551hPpyVRKDuZCxzHL9q9FCYMFd+bF82N3Dd7XZg1ITACCOXR+iglUeCXC
	syk1A0bwwmMdaOTAVSdTZRF4TJI6d5jyvcNU9TqLeh4kH10bOzx1eUUq9JKAjc5Og4US
	bZTg==
X-Gm-Message-State: ALQs6tDBVZ95M0mM/F457V4zwfuIlivmJpUdXZd4F0SILFMZCUc6HCCp
	jfFWuXQEkDr3cI5XCkRhlt2CUw==
X-Google-Smtp-Source: 
 AB8JxZoxx1k71pzdBhl+E/o3QbwyHAEcwGN932XIpXIrhMhWho271Xl/27/Cpuv+r50kJsk9V3cNbQ==
X-Received: by 2002:a24:5903:: with SMTP id
	p3-v6mr3808318itb.97.1524087367217;
	Wed, 18 Apr 2018 14:36:07 -0700 (PDT)
Received: from x220t.lan ([64.26.149.125]) by smtp.gmail.com with ESMTPSA id
	m71-v6sm1350521itc.5.2018.04.18.14.36.06
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 18 Apr 2018 14:36:06 -0700 (PDT)
From: Alexander Aring <aring@mojatatu.com>
To: yotam.gi@gmail.com
Cc: jhs@mojatatu.com, davem@davemloft.net, xiyou.wangcong@gmail.com,
	jiri@resnulli.us, yuvalm@mellanox.com, netdev@vger.kernel.org,
	kernel@mojatatu.com, Alexander Aring <aring@mojatatu.com>
Subject: [PATCH net 2/3] net: sched: ife: handle malformed tlv length
Date: Wed, 18 Apr 2018 17:35:33 -0400
Message-Id: <20180418213534.6215-3-aring@mojatatu.com>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20180418213534.6215-1-aring@mojatatu.com>
References: <20180418213534.6215-1-aring@mojatatu.com>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

There is currently no handling to check on a invalid tlv length. This
patch adds such handling to avoid killing the kernel with a malformed
ife packet.

Signed-off-by: Alexander Aring <aring@mojatatu.com>
Reviewed-by: Yotam Gigi <yotam.gi@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
---
 include/net/ife.h   |  3 ++-
 net/ife/ife.c       | 35 +++++++++++++++++++++++++++++++++--
 net/sched/act_ife.c |  7 ++++++-
 3 files changed, 41 insertions(+), 4 deletions(-)

diff --git a/include/net/ife.h b/include/net/ife.h
index 44b9c00f7223..e117617e3c34 100644
--- a/include/net/ife.h
+++ b/include/net/ife.h
@@ -12,7 +12,8 @@
 void *ife_encode(struct sk_buff *skb, u16 metalen);
 void *ife_decode(struct sk_buff *skb, u16 *metalen);
 
-void *ife_tlv_meta_decode(void *skbdata, u16 *attrtype, u16 *dlen, u16 *totlen);
+void *ife_tlv_meta_decode(void *skbdata, const void *ifehdr_end, u16 *attrtype,
+			  u16 *dlen, u16 *totlen);
 int ife_tlv_meta_encode(void *skbdata, u16 attrtype, u16 dlen,
 			const void *dval);
 
diff --git a/net/ife/ife.c b/net/ife/ife.c
index 7d1ec76e7f43..8632d2685efb 100644
--- a/net/ife/ife.c
+++ b/net/ife/ife.c
@@ -92,12 +92,43 @@ struct meta_tlvhdr {
 	__be16 len;
 };
 
+static inline bool __ife_tlv_meta_valid(const unsigned char *skbdata,
+					const unsigned char *ifehdr_end)
+{
+	const struct meta_tlvhdr *tlv;
+	u16 tlvlen;
+
+	if (unlikely(skbdata + sizeof(*tlv) > ifehdr_end))
+		return false;
+
+	tlv = (struct meta_tlvhdr *)skbdata;
+	tlvlen = ntohs(tlv->len);
+
+	/* tlv length field is inc header, check on minimum */
+	if (tlvlen < NLA_HDRLEN)
+		return false;
+
+	/* overflow by NLA_ALIGN check */
+	if (NLA_ALIGN(tlvlen) < tlvlen)
+		return false;
+
+	if (unlikely(skbdata + NLA_ALIGN(tlvlen) > ifehdr_end))
+		return false;
+
+	return true;
+}
+
 /* Caller takes care of presenting data in network order
  */
-void *ife_tlv_meta_decode(void *skbdata, u16 *attrtype, u16 *dlen, u16 *totlen)
+void *ife_tlv_meta_decode(void *skbdata, const void *ifehdr_end, u16 *attrtype,
+			  u16 *dlen, u16 *totlen)
 {
-	struct meta_tlvhdr *tlv = (struct meta_tlvhdr *) skbdata;
+	struct meta_tlvhdr *tlv;
+
+	if (!__ife_tlv_meta_valid(skbdata, ifehdr_end))
+		return NULL;
 
+	tlv = (struct meta_tlvhdr *)skbdata;
 	*dlen = ntohs(tlv->len) - NLA_HDRLEN;
 	*attrtype = ntohs(tlv->type);
 
diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c
index 49b8ab551fbe..8527cfdc446d 100644
--- a/net/sched/act_ife.c
+++ b/net/sched/act_ife.c
@@ -682,7 +682,12 @@ static int tcf_ife_decode(struct sk_buff *skb, const struct tc_action *a,
 		u16 mtype;
 		u16 dlen;
 
-		curr_data = ife_tlv_meta_decode(tlv_data, &mtype, &dlen, NULL);
+		curr_data = ife_tlv_meta_decode(tlv_data, ifehdr_end, &mtype,
+						&dlen, NULL);
+		if (!curr_data) {
+			qstats_drop_inc(this_cpu_ptr(ife->common.cpu_qstats));
+			return TC_ACT_SHOT;
+		}
 
 		if (find_decode_metaid(skb, ife, mtype, dlen, curr_data)) {
 			/* abuse overlimits to count when we receive metadata