diff mbox

[3/5] net/netfilter/ipvs/ip_vs_ctl.c: drop argument range check just before the check for equality

Message ID 1405697638-23767-1-git-send-email-andrey.krieger.utkin@gmail.com
State Changes Requested, archived
Delegated to: David Miller
Headers show

Commit Message

Andrey Utkin July 18, 2014, 3:33 p.m. UTC 
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=80601
Reported-by: David Binderman <dcb314@hotmail.com>
Signed-off-by: Andrey Utkin <andrey.krieger.utkin@gmail.com>
---
 net/netfilter/ipvs/ip_vs_ctl.c | 2 --
 1 file changed, 2 deletions(-)

Comments

Julian Anastasov July 18, 2014, 8:48 p.m. UTC | #1 
Hello,

On Fri, 18 Jul 2014, Andrey Utkin wrote:

> Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=80601
> Reported-by: David Binderman <dcb314@hotmail.com>
> Signed-off-by: Andrey Utkin <andrey.krieger.utkin@gmail.com>
> ---
>  net/netfilter/ipvs/ip_vs_ctl.c | 2 --
>  1 file changed, 2 deletions(-)
> 
> diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
> index 581a658..4ed7b59 100644
> --- a/net/netfilter/ipvs/ip_vs_ctl.c
> +++ b/net/netfilter/ipvs/ip_vs_ctl.c
> @@ -2338,8 +2338,6 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
>  
>  	if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_SET_MAX)
>  		return -EINVAL;
> -	if (len < 0 || len >  MAX_ARG_LEN)
> -		return -EINVAL;

	The above check ensures the set_arglen[] value (some
struct size) does not exceed the arg[MAX_ARG_LEN] space. You can check
commit 04bcef2a83f40c ("ipvs: Add boundary check on ioctl arguments")
for more info. Still, check can be reduced to
if (len > MAX_ARG_LEN)... Also, len is unsigned, so len < 0 is
useless even for this reason.

>  	if (len != set_arglen[SET_CMDID(cmd)]) {
>  		pr_err("set_ctl: len %u != %u\n",
>  		       len, set_arglen[SET_CMDID(cmd)]);
> -- 
> 1.8.5.5

Regards

--
Julian Anastasov <ja@ssi.bg>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Andrey Utkin July 18, 2014, 9:06 p.m. UTC | #2 
2014-07-18 23:48 GMT+03:00 Julian Anastasov <ja@ssi.bg>:
>         The above check ensures the set_arglen[] value (some
> struct size) does not exceed the arg[MAX_ARG_LEN] space. You can check
> commit 04bcef2a83f40c ("ipvs: Add boundary check on ioctl arguments")
> for more info.

Thanks for info.
What about static check at compilation time?

#if (DAEMON_ARG_LEN > MAX_ARG_LEN) \
 || (SERVICE_ARG_LEN > MAX_ARG_LEN) \
 || (SVCDEST_ARG_LEN > MAX_ARG_LEN)
#error MAX_ARG_LEN exceeded in set_arglen table
#endif
Andrey Utkin July 19, 2014, 10:59 p.m. UTC | #3 
2014-07-19 0:06 GMT+03:00 Andrey Utkin <andrey.krieger.utkin@gmail.com>:
> What about static check at compilation time?
>
> #if (DAEMON_ARG_LEN > MAX_ARG_LEN) \
>  || (SERVICE_ARG_LEN > MAX_ARG_LEN) \
>  || (SVCDEST_ARG_LEN > MAX_ARG_LEN)
> #error MAX_ARG_LEN exceeded in set_arglen table
> #endif

This approach doesn't work, looks because sizeof() values are not
calculated at preprocessing stage.
Andrey Utkin July 19, 2014, 11:03 p.m. UTC | #4 
2014-07-20 1:59 GMT+03:00 Andrey Utkin <andrey.krieger.utkin@gmail.com>:
> This approach doesn't work, looks because sizeof() values are not
> calculated at preprocessing stage.

What about adding equivalent BUG_ON() statement to __init
ip_vs_register_nl_ioctl(), which "registers" do_ip_vs_set_ctl()
callback?
diff mbox

Patch

diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 581a658..4ed7b59 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2338,8 +2338,6 @@  do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
 
 	if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_SET_MAX)
 		return -EINVAL;
-	if (len < 0 || len >  MAX_ARG_LEN)
-		return -EINVAL;
 	if (len != set_arglen[SET_CMDID(cmd)]) {
 		pr_err("set_ctl: len %u != %u\n",
 		       len, set_arglen[SET_CMDID(cmd)]);