From patchwork Fri Apr 20 19:15:04 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Aring <aring@mojatatu.com>
X-Patchwork-Id: 902143
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=mojatatu.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=mojatatu-com.20150623.gappssmtp.com
	header.i=@mojatatu-com.20150623.gappssmtp.com
	header.b="2FMNSGDj"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 40SQZ86fD2z9s1w
	for <patchwork-incoming-netdev@ozlabs.org>;
	Sat, 21 Apr 2018 05:16:16 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752558AbeDTTQJ (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Fri, 20 Apr 2018 15:16:09 -0400
Received: from mail-io0-f193.google.com ([209.85.223.193]:41149 "EHLO
	mail-io0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751293AbeDTTQG (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 20 Apr 2018 15:16:06 -0400
Received: by mail-io0-f193.google.com with SMTP id o7-v6so9901535iob.8
	for <netdev@vger.kernel.org>; Fri, 20 Apr 2018 12:16:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=mojatatu-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=fQ+c5CThU/W/+XvIOAE9hvPo7oD5mP2q37ly5R4/DAI=;
	b=2FMNSGDj9FRO1pOKHlYBVSR2jv/n6YQbdD8q4K3WsVP8epwARK1mKeyvQziDSyeCEt
	1ecWG9VQ5BFkJCyU/+AZxPuDUDaEO9ynBLmUz8JYULQkZu2V/2qOVPQGtHVPGbuKoc0F
	Urjjmw+2SMRktRYHz7tUCmss/1I7vhSE1nG1uy/5EBCAXRgBidvaH9dgWtlRRlw0l0gx
	8TRqVZnPOoP7aPCFzG765dryn0DWiU7IN5rTnjF2SkZr4neabeh1KLpJDiqBS3TCqz2P
	2mfTMc3WDLFrGx+u6JpYuZb1n99kFX1nc/+un1jzcoQmz/R48NN0gqcalg4Dxkdo/LG0
	76bw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=fQ+c5CThU/W/+XvIOAE9hvPo7oD5mP2q37ly5R4/DAI=;
	b=ppzs2bf235+07MaAH5MZZzfNiRTf4Z/nOYNp+kHrgGZklbSga2aKRMLK2oyaQIond/
	wa2X/seBJV0scY81xFYMzBQujO3kYz2piySW9PfW5Zcs2MeSOhEGcBTSDzwP/tcHGbcO
	KQWKoP5yCrED7qvDMF94Qi7NOZ9pNxoefJRq8IOL5diDJVnj8yFMW4ZsMTfAbkX+grwf
	l3rfBQ0WCDqw+nd2Lu7PpZYZ8PxyVh/iglURkoVxYvl7spo8gVPkfJNnmcCIUaa6Z85w
	8ZkL+nq9ALEBRGqm/gvaElCygw2vMYsU5MVayqHO2epYCNwkmdgsYE0RvTTbAIV1oV3h
	p0dw==
X-Gm-Message-State: ALQs6tBxaaFbEwi5nquOIa4TJDJl178QTz0jIygTf+yJKj7Yy/3buzV+
	9qKam5jvlQC11T/2GjgxEDY39Q==
X-Google-Smtp-Source: 
 AB8JxZqI4uWC30w2FEf/3OvoDSX1QZY24uFVsi+TCraF4M1SGvbOAkyzD4MrfMJGigUOwQjxE9jedQ==
X-Received: by 2002:a6b:c6cb:: with SMTP id
	w194-v6mr11508351iof.131.1524251766038;
	Fri, 20 Apr 2018 12:16:06 -0700 (PDT)
Received: from x220t.lan ([64.26.149.125]) by smtp.gmail.com with ESMTPSA id
	g202-v6sm1179368ita.13.2018.04.20.12.16.04
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Fri, 20 Apr 2018 12:16:05 -0700 (PDT)
From: Alexander Aring <aring@mojatatu.com>
To: yotam.gi@gmail.com
Cc: jhs@mojatatu.com, davem@davemloft.net, xiyou.wangcong@gmail.com,
	jiri@resnulli.us, yuvalm@mellanox.com, netdev@vger.kernel.org,
	kernel@mojatatu.com, Alexander Aring <aring@mojatatu.com>
Subject: [PATCHv4 net 2/3] net: sched: ife: handle malformed tlv length
Date: Fri, 20 Apr 2018 15:15:04 -0400
Message-Id: <20180420191505.27633-3-aring@mojatatu.com>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20180420191505.27633-1-aring@mojatatu.com>
References: <20180420191505.27633-1-aring@mojatatu.com>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

There is currently no handling to check on a invalid tlv length. This
patch adds such handling to avoid killing the kernel with a malformed
ife packet.

Signed-off-by: Alexander Aring <aring@mojatatu.com>
Reviewed-by: Yotam Gigi <yotam.gi@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
---
 include/net/ife.h   |  3 ++-
 net/ife/ife.c       | 35 +++++++++++++++++++++++++++++++++--
 net/sched/act_ife.c |  7 ++++++-
 3 files changed, 41 insertions(+), 4 deletions(-)

diff --git a/include/net/ife.h b/include/net/ife.h
index 44b9c00f7223..e117617e3c34 100644
--- a/include/net/ife.h
+++ b/include/net/ife.h
@@ -12,7 +12,8 @@
 void *ife_encode(struct sk_buff *skb, u16 metalen);
 void *ife_decode(struct sk_buff *skb, u16 *metalen);
 
-void *ife_tlv_meta_decode(void *skbdata, u16 *attrtype, u16 *dlen, u16 *totlen);
+void *ife_tlv_meta_decode(void *skbdata, const void *ifehdr_end, u16 *attrtype,
+			  u16 *dlen, u16 *totlen);
 int ife_tlv_meta_encode(void *skbdata, u16 attrtype, u16 dlen,
 			const void *dval);
 
diff --git a/net/ife/ife.c b/net/ife/ife.c
index 7d1ec76e7f43..7fbe70a0af4b 100644
--- a/net/ife/ife.c
+++ b/net/ife/ife.c
@@ -92,12 +92,43 @@ struct meta_tlvhdr {
 	__be16 len;
 };
 
+static bool __ife_tlv_meta_valid(const unsigned char *skbdata,
+				 const unsigned char *ifehdr_end)
+{
+	const struct meta_tlvhdr *tlv;
+	u16 tlvlen;
+
+	if (unlikely(skbdata + sizeof(*tlv) > ifehdr_end))
+		return false;
+
+	tlv = (const struct meta_tlvhdr *)skbdata;
+	tlvlen = ntohs(tlv->len);
+
+	/* tlv length field is inc header, check on minimum */
+	if (tlvlen < NLA_HDRLEN)
+		return false;
+
+	/* overflow by NLA_ALIGN check */
+	if (NLA_ALIGN(tlvlen) < tlvlen)
+		return false;
+
+	if (unlikely(skbdata + NLA_ALIGN(tlvlen) > ifehdr_end))
+		return false;
+
+	return true;
+}
+
 /* Caller takes care of presenting data in network order
  */
-void *ife_tlv_meta_decode(void *skbdata, u16 *attrtype, u16 *dlen, u16 *totlen)
+void *ife_tlv_meta_decode(void *skbdata, const void *ifehdr_end, u16 *attrtype,
+			  u16 *dlen, u16 *totlen)
 {
-	struct meta_tlvhdr *tlv = (struct meta_tlvhdr *) skbdata;
+	struct meta_tlvhdr *tlv;
+
+	if (!__ife_tlv_meta_valid(skbdata, ifehdr_end))
+		return NULL;
 
+	tlv = (struct meta_tlvhdr *)skbdata;
 	*dlen = ntohs(tlv->len) - NLA_HDRLEN;
 	*attrtype = ntohs(tlv->type);
 
diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c
index 49b8ab551fbe..8527cfdc446d 100644
--- a/net/sched/act_ife.c
+++ b/net/sched/act_ife.c
@@ -682,7 +682,12 @@ static int tcf_ife_decode(struct sk_buff *skb, const struct tc_action *a,
 		u16 mtype;
 		u16 dlen;
 
-		curr_data = ife_tlv_meta_decode(tlv_data, &mtype, &dlen, NULL);
+		curr_data = ife_tlv_meta_decode(tlv_data, ifehdr_end, &mtype,
+						&dlen, NULL);
+		if (!curr_data) {
+			qstats_drop_inc(this_cpu_ptr(ife->common.cpu_qstats));
+			return TC_ACT_SHOT;
+		}
 
 		if (find_decode_metaid(skb, ife, mtype, dlen, curr_data)) {
 			/* abuse overlimits to count when we receive metadata