linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Mathias Krause <minipli@googlemail.com>
To: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Ben Hutchings <bhutchings@solarflare.com>,
	"David S. Miller" <davem@davemloft.net>,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	Martin Willi <martin@revosec.ch>
Subject: Re: [PATCH 5/6] xfrm_user: ensure user supplied esn replay window is valid
Date: Thu, 20 Sep 2012 09:37:34 +0200	[thread overview]
Message-ID: <CA+rthh_tRHpQzy0jpbaqwNZTBk+f8t5=cFE4w7yu=6CM-chTSA@mail.gmail.com> (raw)
In-Reply-To: <20120920070508.GA4221@secunet.com>

On Thu, Sep 20, 2012 at 9:05 AM, Steffen Klassert
<steffen.klassert@secunet.com> wrote:
> On Thu, Sep 20, 2012 at 08:12:11AM +0200, Mathias Krause wrote:
>> On Thu, Sep 20, 2012 at 12:38 AM, Ben Hutchings
>> <bhutchings@solarflare.com> wrote:
>> > On Wed, 2012-09-19 at 23:33 +0200, Mathias Krause wrote:
>>
>> > I'm a little worried that the user-provided
>> > xfrm_replay_state_esn::bmp_len is not being directly validated anywhere.
>>
>> That's what my P.S. in the cover letter tried to hint at -- a missing
>> upper limit check. But as I wanted to avoid lengthy discussions about
>> the concrete value and the possible need for some sysctl knob to tune
>> this even further, I just left this as an exercise for someone else
>> who is more familiar with the code ;)
>>
>
> I think we should limit bmp_len to some sane value. RFC 4303 recommends
> an anti replay window size of 64 packets, so limiting bmp_len to cover
> 4096 packets should be more that enough. Also we can increase this value
> later without changing the user API if this is needed.

Okay. If no-one objects, I'll at add a upper limit check for 4096
packets to verify_replay().

>> [...]
>> I disagree. The value of nla_len() is ensured to be in the range of
>> [sizeof(*up), USHRT_MAX-NLA_HDRLEN], i.e. a positive 16 bit number,
>> when it passes nlmsg_parse() in xfrm_user_rcv_msg(). This in turn
>> allows us to assume the int value returned by nla_len() is actually
>> positive and the compiler can safely make it unsigned for the compare
>> -- no sign bit, no hassle.
>
> I think xfrm_replay_state_esn_len() should return the same type as
> nla_len(), no matter what we can assume from the current code base.

The type of the expression calculated in xfrm_replay_state_esn_len()
is size_t; the functions the value get passed onto (k*alloc, kmemdup,
memcpy, memcmp) expect a size_t argument; expressions where the value
is evaluated to calculate sizes (e.g. in xfrm_sa_len) operate on
size_t types. So size_t feels just natural.

> Also it should not return anything else than the other xfrm length
> calculation functions.

So the other functions should have a return type of size_t, too?

Anyway, such a cleanup should go into a separate patch as the other
functions are not vulnerable to an overflow like it could happen in
xfrm_replay_state_esn_len().

> Once we limited bmp_len, xfrm_replay_state_esn_len() should return
> always a positive value.

True. So int it'll be then again for xfrm_replay_state_esn_len() in v3
of the patch.


Thanks,
Mathias

  reply	other threads:[~2012-09-20  7:37 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-09-19 21:33 [PATCH 0/6] xfrm_user info leaks Mathias Krause
2012-09-19 21:33 ` [PATCH 1/6] xfrm_user: fix info leak in copy_to_user_auth() Mathias Krause
2012-09-19 21:33 ` [PATCH 2/6] xfrm_user: fix info leak in copy_to_user_state() Mathias Krause
2012-09-19 21:33 ` [PATCH 3/6] xfrm_user: fix info leak in copy_to_user_policy() Mathias Krause
2012-09-19 21:33 ` [PATCH 4/6] xfrm_user: fix info leak in copy_to_user_tmpl() Mathias Krause
2012-09-20  7:26   ` Steffen Klassert
2012-09-19 21:33 ` [PATCH 5/6] xfrm_user: ensure user supplied esn replay window is valid Mathias Krause
2012-09-19 22:38   ` Ben Hutchings
2012-09-20  6:12     ` Mathias Krause
2012-09-20  6:22       ` [PATCH v2] " Mathias Krause
2012-09-20  7:05       ` [PATCH 5/6] " Steffen Klassert
2012-09-20  7:37         ` Mathias Krause [this message]
2012-09-20 20:01         ` [PATCH v3 5/7] " Mathias Krause
2012-09-20  7:13       ` [PATCH 5/6] " Mathias Krause
2012-09-19 21:33 ` [PATCH 6/6] xfrm_user: don't copy esn replay window twice for new states Mathias Krause
2012-09-20  7:27   ` Steffen Klassert
2012-09-20 22:09 ` [PATCH 0/6] xfrm_user info leaks David Miller
2012-09-21  5:37   ` Mathias Krause

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CA+rthh_tRHpQzy0jpbaqwNZTBk+f8t5=cFE4w7yu=6CM-chTSA@mail.gmail.com' \
    --to=minipli@googlemail.com \
    --cc=bhutchings@solarflare.com \
    --cc=davem@davemloft.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=martin@revosec.ch \
    --cc=netdev@vger.kernel.org \
    --cc=steffen.klassert@secunet.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).