Message ID | 1518838588.55655.10.camel@gmail.com |
---|---|
State | Awaiting Upstream, archived |
Delegated to: | David Miller |
Headers | show |
Series | [nf] netfilter: IDLETIMER: be syzkaller friendly | expand |
On Fri, Feb 16, 2018 at 07:36:28PM -0800, Eric Dumazet wrote: > From: Eric Dumazet <edumazet@google.com> > > We had one report from syzkaller [1] > > First issue is that INIT_WORK() should be done before mod_timer() > or we risk timer being fired too soon, even with a 1 second timer. > > Second issue is that we need to reject too big info->timeout > to avoid overflows in msecs_to_jiffies(info->timeout * 1000), or > risk looping, if result after overflow is 0. Applied, thanks!
diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c index 6c2482b709b1eca341926a8393f45dfead358561..1ac6600bfafd60b6b4d5aaf88a41fb57c6ec195b 100644 --- a/net/netfilter/xt_IDLETIMER.c +++ b/net/netfilter/xt_IDLETIMER.c @@ -146,11 +146,11 @@ static int idletimer_tg_create(struct idletimer_tg_info *info) timer_setup(&info->timer->timer, idletimer_tg_expired, 0); info->timer->refcnt = 1; + INIT_WORK(&info->timer->work, idletimer_tg_work); + mod_timer(&info->timer->timer, msecs_to_jiffies(info->timeout * 1000) + jiffies); - INIT_WORK(&info->timer->work, idletimer_tg_work); - return 0; out_free_attr: @@ -191,7 +191,10 @@ static int idletimer_tg_checkentry(const struct xt_tgchk_param *par) pr_debug("timeout value is zero\n"); return -EINVAL; } - + if (info->timeout >= INT_MAX / 1000) { + pr_debug("timeout value is too big\n"); + return -EINVAL; + } if (info->label[0] == '\0' || strnlen(info->label, MAX_IDLETIMER_LABEL_SIZE) == MAX_IDLETIMER_LABEL_SIZE) {