From patchwork Wed Dec  5 04:49:15 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: solomon <shanwei88@gmail.com>
X-Patchwork-Id: 203784
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 79D8D2C00BE
	for <patchwork-incoming@ozlabs.org>;
	Wed,  5 Dec 2012 15:49:31 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753713Ab2LEEt3 (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Tue, 4 Dec 2012 23:49:29 -0500
Received: from mail-pb0-f46.google.com ([209.85.160.46]:63188 "EHLO
	mail-pb0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752808Ab2LEEt1 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Tue, 4 Dec 2012 23:49:27 -0500
Received: by mail-pb0-f46.google.com with SMTP id wy7so3362612pbc.19
	for <netdev@vger.kernel.org>; Tue, 04 Dec 2012 20:49:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=message-id:date:from:user-agent:mime-version:to:cc:subject
	:content-type:content-transfer-encoding;
	bh=nuMuPpA1hQnJrCw+3Q6BjvGMzUXiIZ2VyxXpeIF3SsA=;
	b=ORPsdGg9D9zDRizj61W5XjR+DRC0gWpvi5DhZdrwuwmhjJrO7soCiolxaRmenNqbdW
	gOXFcHa3L9CKKSHIELYw//qUb3DWo5Zq5BALicjNBiYaa2eNAuJx+GIyY3ScVYocEAql
	YeUKAWAJWcOISw8+F6ND7Hm4mdCEMwAFOSH72vhKEYhtWgKwOZ9CmlADChs4CuLDR3fC
	i2d1mbL5pIdRRMgG/QUuZ45tiUKHBCnSsFja9C6C1z11Kxk1cLqFOiz2CEHpsDLjlLoI
	DNNLC7vyh4kp3P9vDQoBiqCloOftaJB7Ht7+d4Dom+h2MPKgIUYKLHvU/CpMhfFEzhPX
	p6Lw==
Received: by 10.68.253.102 with SMTP id zz6mr45010088pbc.99.1354682966765;
	Tue, 04 Dec 2012 20:49:26 -0800 (PST)
Received: from [172.30.10.127] ([121.14.96.124])
	by mx.google.com with ESMTPS id
	us7sm2184109pbc.40.2012.12.04.20.49.19
	(version=SSLv3 cipher=OTHER); Tue, 04 Dec 2012 20:49:25 -0800 (PST)
Message-ID: <50BED24B.1030205@gmail.com>
Date: Wed, 05 Dec 2012 12:49:15 +0800
From: Shan Wei <shanwei88@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: David Miller <davem@davemloft.net>,
	Eric Dumazet <eric.dumazet@gmail.com>, NetDev <netdev@vger.kernel.org>
CC: Shan Wei <shanwei88@gmail.com>
Subject: [PATCH net-next 1/2] net: neighbour: prohibit negative value for
	unres_qlen_bytes parameter
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Shan Wei <davidshan@tencent.com>

unres_qlen_bytes and unres_qlen are int type.
But multiple relation(unres_qlen_bytes = unres_qlen * SKB_TRUESIZE(ETH_FRAME_LEN))
will cause type overflow when seting unres_qlen. e.g.

$ echo 1027506 > /proc/sys/net/ipv4/neigh/eth1/unres_qlen
$ cat /proc/sys/net/ipv4/neigh/eth1/unres_qlen
1182657265
$ cat /proc/sys/net/ipv4/neigh/eth1/unres_qlen_bytes 
-2147479756

The gutted value is not that we setting。
But user/administrator don't know this is caused by int type overflow.

what's more, it is meaningless and even dangerous that unres_qlen_bytes is set
with negative number. Because, for unresolved neighbour address, kernel will cache packets
without limit in __neigh_event_send()(e.g. (u32)-1 = 2GB).


Signed-off-by: Shan Wei <davidshan@tencent.com>
---
 net/core/neighbour.c |   17 ++++++++++++-----
 1 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index f1c0c2e..36fc692 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -62,6 +62,9 @@ static void __neigh_notify(struct neighbour *n, int type, int flags);
 static void neigh_update_notify(struct neighbour *neigh);
 static int pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev);
 
+static int zero;
+static int unres_qlen_max = INT_MAX / SKB_TRUESIZE(ETH_FRAME_LEN);
+
 static struct neigh_table *neigh_tables;
 #ifdef CONFIG_PROC_FS
 static const struct file_operations neigh_stat_seq_fops;
@@ -1787,8 +1790,7 @@ static int neightbl_fill_parms(struct sk_buff *skb, struct neigh_parms *parms)
 	    nla_put_u32(skb, NDTPA_QUEUE_LENBYTES, parms->queue_len_bytes) ||
 	    /* approximative value for deprecated QUEUE_LEN (in packets) */
 	    nla_put_u32(skb, NDTPA_QUEUE_LEN,
-			DIV_ROUND_UP(parms->queue_len_bytes,
-				     SKB_TRUESIZE(ETH_FRAME_LEN))) ||
+			parms->queue_len_bytes / SKB_TRUESIZE(ETH_FRAME_LEN)) ||
 	    nla_put_u32(skb, NDTPA_PROXY_QLEN, parms->proxy_qlen) ||
 	    nla_put_u32(skb, NDTPA_APP_PROBES, parms->app_probes) ||
 	    nla_put_u32(skb, NDTPA_UCAST_PROBES, parms->ucast_probes) ||
@@ -2777,9 +2779,13 @@ static int proc_unres_qlen(ctl_table *ctl, int write, void __user *buffer,
 	int size, ret;
 	ctl_table tmp = *ctl;
 
+	tmp.extra1 = &zero;
+	tmp.extra2 = &unres_qlen_max;
 	tmp.data = &size;
-	size = DIV_ROUND_UP(*(int *)ctl->data, SKB_TRUESIZE(ETH_FRAME_LEN));
-	ret = proc_dointvec(&tmp, write, buffer, lenp, ppos);
+
+	size = *(int *)ctl->data / SKB_TRUESIZE(ETH_FRAME_LEN);
+	ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);
+
 	if (write && !ret)
 		*(int *)ctl->data = size * SKB_TRUESIZE(ETH_FRAME_LEN);
 	return ret;
@@ -2865,7 +2871,8 @@ static struct neigh_sysctl_table {
 			.procname	= "unres_qlen_bytes",
 			.maxlen		= sizeof(int),
 			.mode		= 0644,
-			.proc_handler	= proc_dointvec,
+			.extra1		= &zero,
+			.proc_handler   = proc_dointvec_minmax,
 		},
 		[NEIGH_VAR_PROXY_QLEN] = {
 			.procname	= "proxy_qlen",