From patchwork Thu Apr 19 21:44:37 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Aring X-Patchwork-Id: 901526 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=mojatatu.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=mojatatu-com.20150623.gappssmtp.com header.i=@mojatatu-com.20150623.gappssmtp.com header.b="bkbjDA4A"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 40Rswn2r43z9s1t for ; Fri, 20 Apr 2018 07:45:29 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753576AbeDSVp2 (ORCPT ); Thu, 19 Apr 2018 17:45:28 -0400 Received: from mail-io0-f194.google.com ([209.85.223.194]:41234 "EHLO mail-io0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753460AbeDSVpQ (ORCPT ); Thu, 19 Apr 2018 17:45:16 -0400 Received: by mail-io0-f194.google.com with SMTP id o7-v6so6509288iob.8 for ; Thu, 19 Apr 2018 14:45:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mojatatu-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=fQ+c5CThU/W/+XvIOAE9hvPo7oD5mP2q37ly5R4/DAI=; b=bkbjDA4A6ynQSm7uD5x5F1oeMynTaZQlvHH2QSrkYcX6heqc1exO0SbAX35Y/s4E1H F6pOVYSlJLBJNdY/yCi8SYAqVXQULZ6OJGUmZLn67SqrgfZaO4Rv4Nyo2RyUkUfH8kjI dLgIxmp5DAqfmAyfXLDs1+k6kGujgWgKvToWpFn02wrHlap/OLJEFl32upPpicQzBnpZ 3l0gdu7BIKZUcw/WmOOpw9SaXAcX5vzAJu0oYy/MzA9iw5vwILYhAPXP6L1ZJByqxe97 jAurjgsBM380TB6tTTybHhf8o2/8Zf7+aTpTcy1DLvnaRZ0UAEUgHG+5n92aPmhAF7p/ 8u1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=fQ+c5CThU/W/+XvIOAE9hvPo7oD5mP2q37ly5R4/DAI=; b=gz+ZXUBxDaMVitPiX9cgbNsKmFyPK0htTEwyV7sbrm5RpSpoZgswF7vcLH3kWIuzlw QMQtce1ua9U9Ei2GW5dG7mb6q7v02ImpNzbWWBzqV5k0cSDjj0D+c2Mg6iXNhMLcmbQp Va8vf3mPZuUVbwjTnWvxPk73ORjjOemLyMFFzU6cU9FYalnApfR9vfGbYQgg1HmqzBG1 RpX7uKY11ovHnGNT/4qsm2tCeDuz/wc8yDStkZhpOgLgPIuBWxOvlmHJX6Uy5J3jrHuU w3EwzT1BK0yYJwNNjT5cRTwaUa6DTbw9357jpmR1kKFMIvEItuC8nmFqg9cWCUO9MN7Q Co6w== X-Gm-Message-State: ALQs6tA0BA/K+mLDeKbeUNAcU/S9v1fsgbFoSl0BDUZDkAfxmp7xfa9Y tD2FUk+E4C0tTHHoZIZ36uWcxQ== X-Google-Smtp-Source: AIpwx49mNGQmhLOwP84rjqNHU4jC0PWboyDZSQKTHnOlzWnmwqJSMhudF9Hcoj13ViQmD2b7l4jT7Q== X-Received: by 2002:a6b:94d4:: with SMTP id w203-v6mr8132443iod.305.1524174316193; Thu, 19 Apr 2018 14:45:16 -0700 (PDT) Received: from x220t.lan ([64.26.149.125]) by smtp.gmail.com with ESMTPSA id b66-v6sm45963itb.3.2018.04.19.14.45.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 19 Apr 2018 14:45:15 -0700 (PDT) From: Alexander Aring To: yotam.gi@gmail.com Cc: jhs@mojatatu.com, davem@davemloft.net, xiyou.wangcong@gmail.com, jiri@resnulli.us, yuvalm@mellanox.com, netdev@vger.kernel.org, kernel@mojatatu.com, Alexander Aring Subject: [PATCHv2 net 2/3] net: sched: ife: handle malformed tlv length Date: Thu, 19 Apr 2018 17:44:37 -0400 Message-Id: <20180419214438.6801-3-aring@mojatatu.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20180419214438.6801-1-aring@mojatatu.com> References: <20180419214438.6801-1-aring@mojatatu.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org There is currently no handling to check on a invalid tlv length. This patch adds such handling to avoid killing the kernel with a malformed ife packet. Signed-off-by: Alexander Aring Reviewed-by: Yotam Gigi Acked-by: Jamal Hadi Salim --- include/net/ife.h | 3 ++- net/ife/ife.c | 35 +++++++++++++++++++++++++++++++++-- net/sched/act_ife.c | 7 ++++++- 3 files changed, 41 insertions(+), 4 deletions(-) diff --git a/include/net/ife.h b/include/net/ife.h index 44b9c00f7223..e117617e3c34 100644 --- a/include/net/ife.h +++ b/include/net/ife.h @@ -12,7 +12,8 @@ void *ife_encode(struct sk_buff *skb, u16 metalen); void *ife_decode(struct sk_buff *skb, u16 *metalen); -void *ife_tlv_meta_decode(void *skbdata, u16 *attrtype, u16 *dlen, u16 *totlen); +void *ife_tlv_meta_decode(void *skbdata, const void *ifehdr_end, u16 *attrtype, + u16 *dlen, u16 *totlen); int ife_tlv_meta_encode(void *skbdata, u16 attrtype, u16 dlen, const void *dval); diff --git a/net/ife/ife.c b/net/ife/ife.c index 7d1ec76e7f43..7fbe70a0af4b 100644 --- a/net/ife/ife.c +++ b/net/ife/ife.c @@ -92,12 +92,43 @@ struct meta_tlvhdr { __be16 len; }; +static bool __ife_tlv_meta_valid(const unsigned char *skbdata, + const unsigned char *ifehdr_end) +{ + const struct meta_tlvhdr *tlv; + u16 tlvlen; + + if (unlikely(skbdata + sizeof(*tlv) > ifehdr_end)) + return false; + + tlv = (const struct meta_tlvhdr *)skbdata; + tlvlen = ntohs(tlv->len); + + /* tlv length field is inc header, check on minimum */ + if (tlvlen < NLA_HDRLEN) + return false; + + /* overflow by NLA_ALIGN check */ + if (NLA_ALIGN(tlvlen) < tlvlen) + return false; + + if (unlikely(skbdata + NLA_ALIGN(tlvlen) > ifehdr_end)) + return false; + + return true; +} + /* Caller takes care of presenting data in network order */ -void *ife_tlv_meta_decode(void *skbdata, u16 *attrtype, u16 *dlen, u16 *totlen) +void *ife_tlv_meta_decode(void *skbdata, const void *ifehdr_end, u16 *attrtype, + u16 *dlen, u16 *totlen) { - struct meta_tlvhdr *tlv = (struct meta_tlvhdr *) skbdata; + struct meta_tlvhdr *tlv; + + if (!__ife_tlv_meta_valid(skbdata, ifehdr_end)) + return NULL; + tlv = (struct meta_tlvhdr *)skbdata; *dlen = ntohs(tlv->len) - NLA_HDRLEN; *attrtype = ntohs(tlv->type); diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c index 49b8ab551fbe..8527cfdc446d 100644 --- a/net/sched/act_ife.c +++ b/net/sched/act_ife.c @@ -682,7 +682,12 @@ static int tcf_ife_decode(struct sk_buff *skb, const struct tc_action *a, u16 mtype; u16 dlen; - curr_data = ife_tlv_meta_decode(tlv_data, &mtype, &dlen, NULL); + curr_data = ife_tlv_meta_decode(tlv_data, ifehdr_end, &mtype, + &dlen, NULL); + if (!curr_data) { + qstats_drop_inc(this_cpu_ptr(ife->common.cpu_qstats)); + return TC_ACT_SHOT; + } if (find_decode_metaid(skb, ife, mtype, dlen, curr_data)) { /* abuse overlimits to count when we receive metadata