Message ID | 20201127154524.1902024-1-philmd@redhat.com |
---|---|
Headers | show |
Series | net: Do not accept packets with invalid huge size | expand |
On 11/27/20 4:45 PM, Philippe Mathieu-Daudé wrote: > Hi, > > This is a simple attempt to avoid the following pattern: > > ssize_t pkt_size = get_pkt_size(); // returns errno Sorry, I meant: returns "-errno" (< 0). > > // no check > > send_packet(size_t size=pkt_size); // size casted to unsigned > // -> overflow > > Regards, > > Phil. > > Philippe Mathieu-Daudé (2): > net: Do not accept packets bigger then NET_BUFSIZE > net: Assert no packet bigger than NET_BUFSIZE is queued > > net/net.c | 4 ++++ > net/queue.c | 7 +++++++ > 2 files changed, 11 insertions(+) >
On Fri, 27 Nov 2020 at 15:45, Philippe Mathieu-Daudé <philmd@redhat.com> wrote: > > Hi, > > This is a simple attempt to avoid the following pattern: > > ssize_t pkt_size = get_pkt_size(); // returns errno > > // no check > > send_packet(size_t size=pkt_size); // size casted to unsigned > // -> overflow "RFC" and "for-5.2" are not a great combination at this point :-( What are the consequences if we don't put this patchset in 5.2? thanks -- PMM
On 11/28/20 9:59 PM, Peter Maydell wrote: > On Fri, 27 Nov 2020 at 15:45, Philippe Mathieu-Daudé <philmd@redhat.com> wrote: >> >> Hi, >> >> This is a simple attempt to avoid the following pattern: >> >> ssize_t pkt_size = get_pkt_size(); // returns errno >> >> // no check >> >> send_packet(size_t size=pkt_size); // size casted to unsigned >> // -> overflow > > "RFC" and "for-5.2" are not a great combination at this point :-( "RFC" because I don't understand all the effects this assert can have. "for-5.2" because it was raised as a security bug, but I don't have access to the information, so I can not see the big picture. > What are the consequences if we don't put this patchset in 5.2? Jason suggested to postpone this. If this is security important, we can release a 5.2.1-stable tag early I suppose. Regards, Phil.