[net,v2,1/3] net/packet: fix overflow in check for priv area size

Submitted by Andrey Konovalov on March 29, 2017, 2:11 p.m.

Details

Message ID 56da2aa1dec51c258eb25693ed87e4de72413463.1490796500.git.andreyknvl@google.com
State Accepted
Delegated to: David Miller
Headers show

Commit Message

Andrey Konovalov March 29, 2017, 2:11 p.m.
Subtracting tp_sizeof_priv from tp_block_size and casting to int
to check whether one is less then the other doesn't always work
(both of them are unsigned ints).

Compare them as is instead.

Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as
it can overflow inside BLK_PLUS_PRIV otherwise.

Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
 net/packet/af_packet.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Eric Dumazet March 29, 2017, 3:50 p.m.
On Wed, 2017-03-29 at 16:11 +0200, Andrey Konovalov wrote:
> Subtracting tp_sizeof_priv from tp_block_size and casting to int
> to check whether one is less then the other doesn't always work
> (both of them are unsigned ints).
> 
> Compare them as is instead.
> 
> Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as
> it can overflow inside BLK_PLUS_PRIV otherwise.
> 
> Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
> ---

Acked-by: Eric Dumazet <edumazet@google.com>

Patch hide | download patch | download mbox

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index a0dbe7ca8f72..2323ee35dc09 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -4193,8 +4193,8 @@  static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
 		if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
 			goto out;
 		if (po->tp_version >= TPACKET_V3 &&
-		    (int)(req->tp_block_size -
-			  BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0)
+		    req->tp_block_size <=
+			  BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
 			goto out;
 		if (unlikely(req->tp_frame_size < po->tp_hdrlen +
 					po->tp_reserve))