From patchwork Thu Apr 19 22:14:44 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Aring <aring@mojatatu.com>
X-Patchwork-Id: 901541
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=mojatatu.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=mojatatu-com.20150623.gappssmtp.com
	header.i=@mojatatu-com.20150623.gappssmtp.com
	header.b="eE6QCAPW"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 40Rtb936sSz9s3F
	for <patchwork-incoming-netdev@ozlabs.org>;
	Fri, 20 Apr 2018 08:15:17 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753531AbeDSWPP (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Thu, 19 Apr 2018 18:15:15 -0400
Received: from mail-io0-f194.google.com ([209.85.223.194]:45684 "EHLO
	mail-io0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753750AbeDSWPN (ORCPT
	<rfc822;netdev@vger.kernel.org>); Thu, 19 Apr 2018 18:15:13 -0400
Received: by mail-io0-f194.google.com with SMTP id a7-v6so8391052ioc.12
	for <netdev@vger.kernel.org>; Thu, 19 Apr 2018 15:15:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=mojatatu-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=fQ+c5CThU/W/+XvIOAE9hvPo7oD5mP2q37ly5R4/DAI=;
	b=eE6QCAPWZfnM6PjsoY3Mqkt2nPYpCPkjEZgtNppfbbQDCafwthVqLK7laYVAmh34C0
	rTNRjfFX91kKCDdFFibbG00C5NZS+Fcb5bfjpeeoeuEBiv6Yp9ARuB9SL6rGjlK1xtxQ
	Ya1gbl5cqubbc+S4aPKD2U0a5dcbT6zeF5UdTU86VAwDmObj8PVXRD1bqLMaFQFJio17
	4sa4zAlWrAaQo9kIyZAZP2cEJqlALFVakU/BdE78PKKSVQWTwoQ673ud/p8lVP3tZsqw
	REhgbaQWSdIJMwj27ZwAxU/i3dlpskFTJGhyd27Z1R4SKPgRn8nb1AIw4xA/1Vsuw8rQ
	f1Ew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=fQ+c5CThU/W/+XvIOAE9hvPo7oD5mP2q37ly5R4/DAI=;
	b=nBC9B6Pg3GjWVPYRWf0P3KDTpQGB5kQtiu8j/1CEJWoxEtoORgGcdGXQURpBHpTcHx
	smHp4Uvmx+X6uU4Ls6N6ErGacRGCVfqkCYYFd46KSVyNoPyBtAC+S0Shbz2YFcwUJty7
	GlJDJ8focsklVOm0EgSMJ2qHYpm6u+YS/xzXnPpy2MnnsWSOaI0okoLcvt6zHqHqAxna
	DlBJX1P5AajgwZshu9tv6/f1gfrTlWWYRMTok2ivEX0Zv7gJNl1p/WlEXWcOwBll4JgC
	859Ob0XAG/FmwO6Nv872RJ1wD9urX7mGdE++WBZUShQWbDtfXsydze5afM578B3eXIZc
	o1tA==
X-Gm-Message-State: ALQs6tA8t+8wlkfRb5c5NZuC+Ze3dAXYcUtVkGPVaPbPF6MVqdqPq23A
	TNHgdJBJrwKePBOwJfIN+LjNIA==
X-Google-Smtp-Source: 
 AIpwx49UZHg4edDeNYspM5ZANJCl2GaJ2fCqGP/NC6Llv3S/E0we8enqU1aBslyjULzaz/EEkARSzg==
X-Received: by 2002:a6b:aae0:: with SMTP id
	g93-v6mr8123663ioj.202.1524176112837;
	Thu, 19 Apr 2018 15:15:12 -0700 (PDT)
Received: from x220t.lan ([64.26.149.125]) by smtp.gmail.com with ESMTPSA id
	z5-v6sm2287198ioe.58.2018.04.19.15.15.11
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 19 Apr 2018 15:15:12 -0700 (PDT)
From: Alexander Aring <aring@mojatatu.com>
To: yotam.gi@gmail.com
Cc: jhs@mojatatu.com, davem@davemloft.net, xiyou.wangcong@gmail.com,
	jiri@resnulli.us, yuvalm@mellanox.com, netdev@vger.kernel.org,
	kernel@mojatatu.com, Alexander Aring <aring@mojatatu.com>
Subject: [PATCHv3 net 2/3] net: sched: ife: handle malformed tlv length
Date: Thu, 19 Apr 2018 18:14:44 -0400
Message-Id: <20180419221445.26205-3-aring@mojatatu.com>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20180419221445.26205-1-aring@mojatatu.com>
References: <20180419221445.26205-1-aring@mojatatu.com>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

There is currently no handling to check on a invalid tlv length. This
patch adds such handling to avoid killing the kernel with a malformed
ife packet.

Signed-off-by: Alexander Aring <aring@mojatatu.com>
Reviewed-by: Yotam Gigi <yotam.gi@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
---
 include/net/ife.h   |  3 ++-
 net/ife/ife.c       | 35 +++++++++++++++++++++++++++++++++--
 net/sched/act_ife.c |  7 ++++++-
 3 files changed, 41 insertions(+), 4 deletions(-)

diff --git a/include/net/ife.h b/include/net/ife.h
index 44b9c00f7223..e117617e3c34 100644
--- a/include/net/ife.h
+++ b/include/net/ife.h
@@ -12,7 +12,8 @@
 void *ife_encode(struct sk_buff *skb, u16 metalen);
 void *ife_decode(struct sk_buff *skb, u16 *metalen);
 
-void *ife_tlv_meta_decode(void *skbdata, u16 *attrtype, u16 *dlen, u16 *totlen);
+void *ife_tlv_meta_decode(void *skbdata, const void *ifehdr_end, u16 *attrtype,
+			  u16 *dlen, u16 *totlen);
 int ife_tlv_meta_encode(void *skbdata, u16 attrtype, u16 dlen,
 			const void *dval);
 
diff --git a/net/ife/ife.c b/net/ife/ife.c
index 7d1ec76e7f43..7fbe70a0af4b 100644
--- a/net/ife/ife.c
+++ b/net/ife/ife.c
@@ -92,12 +92,43 @@ struct meta_tlvhdr {
 	__be16 len;
 };
 
+static bool __ife_tlv_meta_valid(const unsigned char *skbdata,
+				 const unsigned char *ifehdr_end)
+{
+	const struct meta_tlvhdr *tlv;
+	u16 tlvlen;
+
+	if (unlikely(skbdata + sizeof(*tlv) > ifehdr_end))
+		return false;
+
+	tlv = (const struct meta_tlvhdr *)skbdata;
+	tlvlen = ntohs(tlv->len);
+
+	/* tlv length field is inc header, check on minimum */
+	if (tlvlen < NLA_HDRLEN)
+		return false;
+
+	/* overflow by NLA_ALIGN check */
+	if (NLA_ALIGN(tlvlen) < tlvlen)
+		return false;
+
+	if (unlikely(skbdata + NLA_ALIGN(tlvlen) > ifehdr_end))
+		return false;
+
+	return true;
+}
+
 /* Caller takes care of presenting data in network order
  */
-void *ife_tlv_meta_decode(void *skbdata, u16 *attrtype, u16 *dlen, u16 *totlen)
+void *ife_tlv_meta_decode(void *skbdata, const void *ifehdr_end, u16 *attrtype,
+			  u16 *dlen, u16 *totlen)
 {
-	struct meta_tlvhdr *tlv = (struct meta_tlvhdr *) skbdata;
+	struct meta_tlvhdr *tlv;
+
+	if (!__ife_tlv_meta_valid(skbdata, ifehdr_end))
+		return NULL;
 
+	tlv = (struct meta_tlvhdr *)skbdata;
 	*dlen = ntohs(tlv->len) - NLA_HDRLEN;
 	*attrtype = ntohs(tlv->type);
 
diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c
index 49b8ab551fbe..8527cfdc446d 100644
--- a/net/sched/act_ife.c
+++ b/net/sched/act_ife.c
@@ -682,7 +682,12 @@ static int tcf_ife_decode(struct sk_buff *skb, const struct tc_action *a,
 		u16 mtype;
 		u16 dlen;
 
-		curr_data = ife_tlv_meta_decode(tlv_data, &mtype, &dlen, NULL);
+		curr_data = ife_tlv_meta_decode(tlv_data, ifehdr_end, &mtype,
+						&dlen, NULL);
+		if (!curr_data) {
+			qstats_drop_inc(this_cpu_ptr(ife->common.cpu_qstats));
+			return TC_ACT_SHOT;
+		}
 
 		if (find_decode_metaid(skb, ife, mtype, dlen, curr_data)) {
 			/* abuse overlimits to count when we receive metadata