* [PATCH net-next 0/2] Fix overflow errors in /proc/sys/net/ipv4/neigh/
@ 2013-07-24 8:39 Francesco Fusco
2013-07-24 8:39 ` [PATCH net-next 1/2] neigh: prevent overflowing params " Francesco Fusco
2013-07-24 8:39 ` [PATCH net-next 2/2] sysctl: range checking in do_proc_dointvec_ms_jiffies_conv Francesco Fusco
0 siblings, 2 replies; 6+ messages in thread
From: Francesco Fusco @ 2013-07-24 8:39 UTC (permalink / raw)
To: davem; +Cc: netdev
These two patches fix possible overflow errors in /proc/sys/net/ipv4/neigh/.
Francesco Fusco (2):
neigh: prevent overflowing params in /proc/sys/net/ipv4/neigh/
sysctl: range checking in do_proc_dointvec_ms_jiffies_conv
kernel/sysctl.c | 6 +++++-
net/core/neighbour.c | 29 ++++++++++++++++++++++-------
2 files changed, 27 insertions(+), 8 deletions(-)
--
1.8.3.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH net-next 1/2] neigh: prevent overflowing params in /proc/sys/net/ipv4/neigh/
2013-07-24 8:39 [PATCH net-next 0/2] Fix overflow errors in /proc/sys/net/ipv4/neigh/ Francesco Fusco
@ 2013-07-24 8:39 ` Francesco Fusco
2013-07-26 21:22 ` David Miller
2013-07-24 8:39 ` [PATCH net-next 2/2] sysctl: range checking in do_proc_dointvec_ms_jiffies_conv Francesco Fusco
1 sibling, 1 reply; 6+ messages in thread
From: Francesco Fusco @ 2013-07-24 8:39 UTC (permalink / raw)
To: davem; +Cc: netdev
Without this patch, the fields app_solicit, gc_thresh1, gc_thresh2,
gc_thresh3, proxy_qlen, ucast_solicit, mcast_solicit could have
assumed negative values when setting large numbers.
Signed-off-by: Francesco Fusco <ffusco@redhat.com>
---
net/core/neighbour.c | 29 ++++++++++++++++++++++-------
1 file changed, 22 insertions(+), 7 deletions(-)
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index b7de821..9232c68 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -2767,6 +2767,7 @@ EXPORT_SYMBOL(neigh_app_ns);
#ifdef CONFIG_SYSCTL
static int zero;
+static int int_max = INT_MAX;
static int unres_qlen_max = INT_MAX / SKB_TRUESIZE(ETH_FRAME_LEN);
static int proc_unres_qlen(struct ctl_table *ctl, int write,
@@ -2819,19 +2820,25 @@ static struct neigh_sysctl_table {
.procname = "mcast_solicit",
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = proc_dointvec,
+ .extra1 = &zero,
+ .extra2 = &int_max,
+ .proc_handler = proc_dointvec_minmax,
},
[NEIGH_VAR_UCAST_PROBE] = {
.procname = "ucast_solicit",
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = proc_dointvec,
+ .extra1 = &zero,
+ .extra2 = &int_max,
+ .proc_handler = proc_dointvec_minmax,
},
[NEIGH_VAR_APP_PROBE] = {
.procname = "app_solicit",
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = proc_dointvec,
+ .extra1 = &zero,
+ .extra2 = &int_max,
+ .proc_handler = proc_dointvec_minmax,
},
[NEIGH_VAR_RETRANS_TIME] = {
.procname = "retrans_time",
@@ -2874,7 +2881,9 @@ static struct neigh_sysctl_table {
.procname = "proxy_qlen",
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = proc_dointvec,
+ .extra1 = &zero,
+ .extra2 = &int_max,
+ .proc_handler = proc_dointvec_minmax,
},
[NEIGH_VAR_ANYCAST_DELAY] = {
.procname = "anycast_delay",
@@ -2916,19 +2925,25 @@ static struct neigh_sysctl_table {
.procname = "gc_thresh1",
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = proc_dointvec,
+ .extra1 = &zero,
+ .extra2 = &int_max,
+ .proc_handler = proc_dointvec_minmax,
},
[NEIGH_VAR_GC_THRESH2] = {
.procname = "gc_thresh2",
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = proc_dointvec,
+ .extra1 = &zero,
+ .extra2 = &int_max,
+ .proc_handler = proc_dointvec_minmax,
},
[NEIGH_VAR_GC_THRESH3] = {
.procname = "gc_thresh3",
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = proc_dointvec,
+ .extra1 = &zero,
+ .extra2 = &int_max,
+ .proc_handler = proc_dointvec_minmax,
},
{},
},
--
1.8.3.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH net-next 2/2] sysctl: range checking in do_proc_dointvec_ms_jiffies_conv
2013-07-24 8:39 [PATCH net-next 0/2] Fix overflow errors in /proc/sys/net/ipv4/neigh/ Francesco Fusco
2013-07-24 8:39 ` [PATCH net-next 1/2] neigh: prevent overflowing params " Francesco Fusco
@ 2013-07-24 8:39 ` Francesco Fusco
2013-07-24 14:35 ` Sergei Shtylyov
2013-07-26 21:23 ` David Miller
1 sibling, 2 replies; 6+ messages in thread
From: Francesco Fusco @ 2013-07-24 8:39 UTC (permalink / raw)
To: davem; +Cc: netdev, Andrew Morton, linux-kernel
When (integer) sysctl values are expressed in ms and have to be
represented internally as jiffies. The msecs_to_jiffies function
returns an unsigned long, which gets assigned to the integer.
This patch prevents the value to be assigned if bigger than
INT_MAX, done in a similar way as in cba9f3 ("Range checking in
do_proc_dointvec_(userhz_)jiffies_conv").
Signed-off-by: Francesco Fusco <ffusco@redhat.com>
CC: Andrew Morton <akpm@linux-foundation.org>
CC: linux-kernel@vger.kernel.org
---
kernel/sysctl.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index ac09d98..00813e5 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2346,7 +2346,11 @@ static int do_proc_dointvec_ms_jiffies_conv(bool *negp, unsigned long *lvalp,
int write, void *data)
{
if (write) {
- *valp = msecs_to_jiffies(*negp ? -*lvalp : *lvalp);
+ unsigned long jif = 0;
+ jif = msecs_to_jiffies(*negp ? -*lvalp : *lvalp);
+ if (jif > INT_MAX)
+ return 1;
+ *valp = (int)jif;
} else {
int val = *valp;
unsigned long lval;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH net-next 2/2] sysctl: range checking in do_proc_dointvec_ms_jiffies_conv
2013-07-24 8:39 ` [PATCH net-next 2/2] sysctl: range checking in do_proc_dointvec_ms_jiffies_conv Francesco Fusco
@ 2013-07-24 14:35 ` Sergei Shtylyov
2013-07-26 21:23 ` David Miller
1 sibling, 0 replies; 6+ messages in thread
From: Sergei Shtylyov @ 2013-07-24 14:35 UTC (permalink / raw)
To: Francesco Fusco; +Cc: davem, netdev, Andrew Morton, linux-kernel
Hello.
On 24-07-2013 12:39, Francesco Fusco wrote:
> When (integer) sysctl values are expressed in ms and have to be
> represented internally as jiffies. The msecs_to_jiffies function
> returns an unsigned long, which gets assigned to the integer.
> This patch prevents the value to be assigned if bigger than
> INT_MAX, done in a similar way as in cba9f3 ("Range checking in
> do_proc_dointvec_(userhz_)jiffies_conv").
> Signed-off-by: Francesco Fusco <ffusco@redhat.com>
> CC: Andrew Morton <akpm@linux-foundation.org>
> CC: linux-kernel@vger.kernel.org
> ---
> kernel/sysctl.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> index ac09d98..00813e5 100644
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -2346,7 +2346,11 @@ static int do_proc_dointvec_ms_jiffies_conv(bool *negp, unsigned long *lvalp,
> int write, void *data)
> {
> if (write) {
> - *valp = msecs_to_jiffies(*negp ? -*lvalp : *lvalp);
> + unsigned long jif = 0;
Pointless initializer. And an empty line wouldn't hurt after declaration.
> + jif = msecs_to_jiffies(*negp ? -*lvalp : *lvalp);
One space after = is enough.
> + if (jif > INT_MAX)
> + return 1;
> + *valp = (int)jif;
WBR, Sergei
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net-next 1/2] neigh: prevent overflowing params in /proc/sys/net/ipv4/neigh/
2013-07-24 8:39 ` [PATCH net-next 1/2] neigh: prevent overflowing params " Francesco Fusco
@ 2013-07-26 21:22 ` David Miller
0 siblings, 0 replies; 6+ messages in thread
From: David Miller @ 2013-07-26 21:22 UTC (permalink / raw)
To: ffusco; +Cc: netdev
From: Francesco Fusco <ffusco@redhat.com>
Date: Wed, 24 Jul 2013 10:39:06 +0200
> Without this patch, the fields app_solicit, gc_thresh1, gc_thresh2,
> gc_thresh3, proxy_qlen, ucast_solicit, mcast_solicit could have
> assumed negative values when setting large numbers.
>
> Signed-off-by: Francesco Fusco <ffusco@redhat.com>
Applied.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net-next 2/2] sysctl: range checking in do_proc_dointvec_ms_jiffies_conv
2013-07-24 8:39 ` [PATCH net-next 2/2] sysctl: range checking in do_proc_dointvec_ms_jiffies_conv Francesco Fusco
2013-07-24 14:35 ` Sergei Shtylyov
@ 2013-07-26 21:23 ` David Miller
1 sibling, 0 replies; 6+ messages in thread
From: David Miller @ 2013-07-26 21:23 UTC (permalink / raw)
To: ffusco; +Cc: netdev, akpm, linux-kernel
From: Francesco Fusco <ffusco@redhat.com>
Date: Wed, 24 Jul 2013 10:39:07 +0200
> When (integer) sysctl values are expressed in ms and have to be
> represented internally as jiffies. The msecs_to_jiffies function
> returns an unsigned long, which gets assigned to the integer.
> This patch prevents the value to be assigned if bigger than
> INT_MAX, done in a similar way as in cba9f3 ("Range checking in
> do_proc_dointvec_(userhz_)jiffies_conv").
>
> Signed-off-by: Francesco Fusco <ffusco@redhat.com>
Applied with the changes suggested by Sergei.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2013-07-26 21:23 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-07-24 8:39 [PATCH net-next 0/2] Fix overflow errors in /proc/sys/net/ipv4/neigh/ Francesco Fusco
2013-07-24 8:39 ` [PATCH net-next 1/2] neigh: prevent overflowing params " Francesco Fusco
2013-07-26 21:22 ` David Miller
2013-07-24 8:39 ` [PATCH net-next 2/2] sysctl: range checking in do_proc_dointvec_ms_jiffies_conv Francesco Fusco
2013-07-24 14:35 ` Sergei Shtylyov
2013-07-26 21:23 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).