netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] net/packet: fix 4gb buffer limit due to overflow check
@ 2019-02-09 20:37 Kal Conley
  2019-02-10  3:01 ` David Miller
  0 siblings, 1 reply; 4+ messages in thread
From: Kal Conley @ 2019-02-09 20:37 UTC (permalink / raw)
  To: davem
  Cc: kal.conley, Willem de Bruijn, Eric Dumazet, Greg Kroah-Hartman,
	Jeff Kirsher, Alexander Duyck, Kirill Tkhai, Vincent Whitchurch,
	Li RongQing, Magnus Karlsson, open list:NETWORKING [GENERAL],
	open list

When calculating rb->frames_per_block * req->tp_block_nr the result
can overflow. Check it for overflow without limiting the total buffer
size to UINT_MAX.

This change fixes support for packet ring buffers >= UINT_MAX.
---
 net/packet/af_packet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index d0945253f43b..d603a430378e 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -4291,7 +4291,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
 		rb->frames_per_block = req->tp_block_size / req->tp_frame_size;
 		if (unlikely(rb->frames_per_block == 0))
 			goto out;
-		if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))
+		if (unlikely(rb->frames_per_block > UINT_MAX / req->tp_block_nr))
 			goto out;
 		if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
 					req->tp_frame_nr))
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH] net/packet: fix 4gb buffer limit due to overflow check
  2019-02-09 20:37 [PATCH] net/packet: fix 4gb buffer limit due to overflow check Kal Conley
@ 2019-02-10  3:01 ` David Miller
  2019-02-10  8:57   ` [PATCH v2] " Kal Conley
  0 siblings, 1 reply; 4+ messages in thread
From: David Miller @ 2019-02-10  3:01 UTC (permalink / raw)
  To: kal.conley
  Cc: willemb, edumazet, gregkh, jeffrey.t.kirsher, alexander.h.duyck,
	ktkhai, vincent.whitchurch, lirongqing, magnus.karlsson, netdev,
	linux-kernel

From: Kal Conley <kal.conley@dectris.com>
Date: Sat,  9 Feb 2019 21:37:00 +0100

> When calculating rb->frames_per_block * req->tp_block_nr the result
> can overflow. Check it for overflow without limiting the total buffer
> size to UINT_MAX.
> 
> This change fixes support for packet ring buffers >= UINT_MAX.

Please resubmit with a proper signoff and also an appropriate Fixes:
tag.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH v2] net/packet: fix 4gb buffer limit due to overflow check
  2019-02-10  3:01 ` David Miller
@ 2019-02-10  8:57   ` Kal Conley
  2019-02-12 18:38     ` David Miller
  0 siblings, 1 reply; 4+ messages in thread
From: Kal Conley @ 2019-02-10  8:57 UTC (permalink / raw)
  To: davem
  Cc: kal.conley, Willem de Bruijn, Eric Dumazet, Alexander Duyck,
	Jeff Kirsher, Kirill Tkhai, Vincent Whitchurch, Li RongQing,
	Magnus Karlsson, netdev, linux-kernel

When calculating rb->frames_per_block * req->tp_block_nr the result
can overflow. Check it for overflow without limiting the total buffer
size to UINT_MAX.

This change fixes support for packet ring buffers >= UINT_MAX.

Fixes: 8f8d28e4d6d8 ("net/packet: fix overflow in check for tp_frame_nr")
Signed-off-by: Kal Conley <kal.conley@dectris.com>
---
Changes in v2:
- Add Signed-off-by and Fixes tag

 net/packet/af_packet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 3b1a78906bc0..1cd1d83a4be0 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -4292,7 +4292,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
 		rb->frames_per_block = req->tp_block_size / req->tp_frame_size;
 		if (unlikely(rb->frames_per_block == 0))
 			goto out;
-		if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))
+		if (unlikely(rb->frames_per_block > UINT_MAX / req->tp_block_nr))
 			goto out;
 		if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
 					req->tp_frame_nr))
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH v2] net/packet: fix 4gb buffer limit due to overflow check
  2019-02-10  8:57   ` [PATCH v2] " Kal Conley
@ 2019-02-12 18:38     ` David Miller
  0 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2019-02-12 18:38 UTC (permalink / raw)
  To: kal.conley
  Cc: willemb, edumazet, alexander.h.duyck, jeffrey.t.kirsher, ktkhai,
	vincent.whitchurch, lirongqing, magnus.karlsson, netdev,
	linux-kernel

From: Kal Conley <kal.conley@dectris.com>
Date: Sun, 10 Feb 2019 09:57:11 +0100

> When calculating rb->frames_per_block * req->tp_block_nr the result
> can overflow. Check it for overflow without limiting the total buffer
> size to UINT_MAX.
> 
> This change fixes support for packet ring buffers >= UINT_MAX.
> 
> Fixes: 8f8d28e4d6d8 ("net/packet: fix overflow in check for tp_frame_nr")
> Signed-off-by: Kal Conley <kal.conley@dectris.com>
> ---
> Changes in v2:
> - Add Signed-off-by and Fixes tag

Applied and queued up for -stable, thanks.

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-02-12 18:38 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-09 20:37 [PATCH] net/packet: fix 4gb buffer limit due to overflow check Kal Conley
2019-02-10  3:01 ` David Miller
2019-02-10  8:57   ` [PATCH v2] " Kal Conley
2019-02-12 18:38     ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).