netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH net-next 0/2] Fix overflow errors in /proc/sys/net/ipv4/neigh/
@ 2013-07-24  8:39 Francesco Fusco
  2013-07-24  8:39 ` [PATCH net-next 1/2] neigh: prevent overflowing params " Francesco Fusco
  2013-07-24  8:39 ` [PATCH net-next 2/2] sysctl: range checking in do_proc_dointvec_ms_jiffies_conv Francesco Fusco
  0 siblings, 2 replies; 6+ messages in thread
From: Francesco Fusco @ 2013-07-24  8:39 UTC (permalink / raw)
  To: davem; +Cc: netdev

These two patches fix possible overflow errors in /proc/sys/net/ipv4/neigh/.

Francesco Fusco (2):
  neigh: prevent overflowing params in /proc/sys/net/ipv4/neigh/
  sysctl: range checking in do_proc_dointvec_ms_jiffies_conv

 kernel/sysctl.c      |  6 +++++-
 net/core/neighbour.c | 29 ++++++++++++++++++++++-------
 2 files changed, 27 insertions(+), 8 deletions(-)

-- 
1.8.3.1

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH net-next 1/2] neigh: prevent overflowing params in /proc/sys/net/ipv4/neigh/
  2013-07-24  8:39 [PATCH net-next 0/2] Fix overflow errors in /proc/sys/net/ipv4/neigh/ Francesco Fusco
@ 2013-07-24  8:39 ` Francesco Fusco
  2013-07-26 21:22   ` David Miller
  2013-07-24  8:39 ` [PATCH net-next 2/2] sysctl: range checking in do_proc_dointvec_ms_jiffies_conv Francesco Fusco
  1 sibling, 1 reply; 6+ messages in thread
From: Francesco Fusco @ 2013-07-24  8:39 UTC (permalink / raw)
  To: davem; +Cc: netdev

Without this patch, the fields app_solicit, gc_thresh1, gc_thresh2,
gc_thresh3, proxy_qlen, ucast_solicit, mcast_solicit could have
assumed negative values when setting large numbers.

Signed-off-by: Francesco Fusco <ffusco@redhat.com>
---
 net/core/neighbour.c | 29 ++++++++++++++++++++++-------
 1 file changed, 22 insertions(+), 7 deletions(-)

diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index b7de821..9232c68 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -2767,6 +2767,7 @@ EXPORT_SYMBOL(neigh_app_ns);
 
 #ifdef CONFIG_SYSCTL
 static int zero;
+static int int_max = INT_MAX;
 static int unres_qlen_max = INT_MAX / SKB_TRUESIZE(ETH_FRAME_LEN);
 
 static int proc_unres_qlen(struct ctl_table *ctl, int write,
@@ -2819,19 +2820,25 @@ static struct neigh_sysctl_table {
 			.procname	= "mcast_solicit",
 			.maxlen		= sizeof(int),
 			.mode		= 0644,
-			.proc_handler	= proc_dointvec,
+			.extra1 	= &zero,
+			.extra2		= &int_max,
+			.proc_handler	= proc_dointvec_minmax,
 		},
 		[NEIGH_VAR_UCAST_PROBE] = {
 			.procname	= "ucast_solicit",
 			.maxlen		= sizeof(int),
 			.mode		= 0644,
-			.proc_handler	= proc_dointvec,
+			.extra1 	= &zero,
+			.extra2		= &int_max,
+			.proc_handler	= proc_dointvec_minmax,
 		},
 		[NEIGH_VAR_APP_PROBE] = {
 			.procname	= "app_solicit",
 			.maxlen		= sizeof(int),
 			.mode		= 0644,
-			.proc_handler	= proc_dointvec,
+			.extra1 	= &zero,
+			.extra2		= &int_max,
+			.proc_handler	= proc_dointvec_minmax,
 		},
 		[NEIGH_VAR_RETRANS_TIME] = {
 			.procname	= "retrans_time",
@@ -2874,7 +2881,9 @@ static struct neigh_sysctl_table {
 			.procname	= "proxy_qlen",
 			.maxlen		= sizeof(int),
 			.mode		= 0644,
-			.proc_handler	= proc_dointvec,
+			.extra1 	= &zero,
+			.extra2		= &int_max,
+			.proc_handler	= proc_dointvec_minmax,
 		},
 		[NEIGH_VAR_ANYCAST_DELAY] = {
 			.procname	= "anycast_delay",
@@ -2916,19 +2925,25 @@ static struct neigh_sysctl_table {
 			.procname	= "gc_thresh1",
 			.maxlen		= sizeof(int),
 			.mode		= 0644,
-			.proc_handler	= proc_dointvec,
+			.extra1 	= &zero,
+			.extra2		= &int_max,
+			.proc_handler	= proc_dointvec_minmax,
 		},
 		[NEIGH_VAR_GC_THRESH2] = {
 			.procname	= "gc_thresh2",
 			.maxlen		= sizeof(int),
 			.mode		= 0644,
-			.proc_handler	= proc_dointvec,
+			.extra1 	= &zero,
+			.extra2		= &int_max,
+			.proc_handler	= proc_dointvec_minmax,
 		},
 		[NEIGH_VAR_GC_THRESH3] = {
 			.procname	= "gc_thresh3",
 			.maxlen		= sizeof(int),
 			.mode		= 0644,
-			.proc_handler	= proc_dointvec,
+			.extra1 	= &zero,
+			.extra2		= &int_max,
+			.proc_handler	= proc_dointvec_minmax,
 		},
 		{},
 	},
-- 
1.8.3.1

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [PATCH net-next 2/2] sysctl: range checking in do_proc_dointvec_ms_jiffies_conv
  2013-07-24  8:39 [PATCH net-next 0/2] Fix overflow errors in /proc/sys/net/ipv4/neigh/ Francesco Fusco
  2013-07-24  8:39 ` [PATCH net-next 1/2] neigh: prevent overflowing params " Francesco Fusco
@ 2013-07-24  8:39 ` Francesco Fusco
  2013-07-24 14:35   ` Sergei Shtylyov
  2013-07-26 21:23   ` David Miller
  1 sibling, 2 replies; 6+ messages in thread
From: Francesco Fusco @ 2013-07-24  8:39 UTC (permalink / raw)
  To: davem; +Cc: netdev, Andrew Morton, linux-kernel

When (integer) sysctl values are expressed in ms and have to be
represented internally as jiffies. The msecs_to_jiffies function
returns an unsigned long, which gets assigned to the integer.
This patch prevents the value to be assigned if bigger than
INT_MAX, done in a similar way as in cba9f3 ("Range checking in
do_proc_dointvec_(userhz_)jiffies_conv").

Signed-off-by: Francesco Fusco <ffusco@redhat.com>
CC: Andrew Morton <akpm@linux-foundation.org>
CC: linux-kernel@vger.kernel.org
---
 kernel/sysctl.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index ac09d98..00813e5 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2346,7 +2346,11 @@ static int do_proc_dointvec_ms_jiffies_conv(bool *negp, unsigned long *lvalp,
 					    int write, void *data)
 {
 	if (write) {
-		*valp = msecs_to_jiffies(*negp ? -*lvalp : *lvalp);
+		unsigned long jif = 0;
+		jif =  msecs_to_jiffies(*negp ? -*lvalp : *lvalp);
+		if (jif > INT_MAX)
+			return 1;
+		*valp = (int)jif;
 	} else {
 		int val = *valp;
 		unsigned long lval;
-- 
1.8.3.1

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH net-next 2/2] sysctl: range checking in do_proc_dointvec_ms_jiffies_conv
  2013-07-24  8:39 ` [PATCH net-next 2/2] sysctl: range checking in do_proc_dointvec_ms_jiffies_conv Francesco Fusco
@ 2013-07-24 14:35   ` Sergei Shtylyov
  2013-07-26 21:23   ` David Miller
  1 sibling, 0 replies; 6+ messages in thread
From: Sergei Shtylyov @ 2013-07-24 14:35 UTC (permalink / raw)
  To: Francesco Fusco; +Cc: davem, netdev, Andrew Morton, linux-kernel

Hello.

On 24-07-2013 12:39, Francesco Fusco wrote:

> When (integer) sysctl values are expressed in ms and have to be
> represented internally as jiffies. The msecs_to_jiffies function
> returns an unsigned long, which gets assigned to the integer.
> This patch prevents the value to be assigned if bigger than
> INT_MAX, done in a similar way as in cba9f3 ("Range checking in
> do_proc_dointvec_(userhz_)jiffies_conv").

> Signed-off-by: Francesco Fusco <ffusco@redhat.com>
> CC: Andrew Morton <akpm@linux-foundation.org>
> CC: linux-kernel@vger.kernel.org
> ---
>   kernel/sysctl.c | 6 +++++-
>   1 file changed, 5 insertions(+), 1 deletion(-)

> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> index ac09d98..00813e5 100644
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -2346,7 +2346,11 @@ static int do_proc_dointvec_ms_jiffies_conv(bool *negp, unsigned long *lvalp,
>   					    int write, void *data)
>   {
>   	if (write) {
> -		*valp = msecs_to_jiffies(*negp ? -*lvalp : *lvalp);
> +		unsigned long jif = 0;

    Pointless initializer. And an empty line wouldn't hurt after declaration.

> +		jif =  msecs_to_jiffies(*negp ? -*lvalp : *lvalp);

    One space after = is enough.

> +		if (jif > INT_MAX)
> +			return 1;
> +		*valp = (int)jif;

WBR, Sergei

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH net-next 1/2] neigh: prevent overflowing params in /proc/sys/net/ipv4/neigh/
  2013-07-24  8:39 ` [PATCH net-next 1/2] neigh: prevent overflowing params " Francesco Fusco
@ 2013-07-26 21:22   ` David Miller
  0 siblings, 0 replies; 6+ messages in thread
From: David Miller @ 2013-07-26 21:22 UTC (permalink / raw)
  To: ffusco; +Cc: netdev

From: Francesco Fusco <ffusco@redhat.com>
Date: Wed, 24 Jul 2013 10:39:06 +0200

> Without this patch, the fields app_solicit, gc_thresh1, gc_thresh2,
> gc_thresh3, proxy_qlen, ucast_solicit, mcast_solicit could have
> assumed negative values when setting large numbers.
> 
> Signed-off-by: Francesco Fusco <ffusco@redhat.com>

Applied.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH net-next 2/2] sysctl: range checking in do_proc_dointvec_ms_jiffies_conv
  2013-07-24  8:39 ` [PATCH net-next 2/2] sysctl: range checking in do_proc_dointvec_ms_jiffies_conv Francesco Fusco
  2013-07-24 14:35   ` Sergei Shtylyov
@ 2013-07-26 21:23   ` David Miller
  1 sibling, 0 replies; 6+ messages in thread
From: David Miller @ 2013-07-26 21:23 UTC (permalink / raw)
  To: ffusco; +Cc: netdev, akpm, linux-kernel

From: Francesco Fusco <ffusco@redhat.com>
Date: Wed, 24 Jul 2013 10:39:07 +0200

> When (integer) sysctl values are expressed in ms and have to be
> represented internally as jiffies. The msecs_to_jiffies function
> returns an unsigned long, which gets assigned to the integer.
> This patch prevents the value to be assigned if bigger than
> INT_MAX, done in a similar way as in cba9f3 ("Range checking in
> do_proc_dointvec_(userhz_)jiffies_conv").
> 
> Signed-off-by: Francesco Fusco <ffusco@redhat.com>

Applied with the changes suggested by Sergei.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2013-07-26 21:23 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-07-24  8:39 [PATCH net-next 0/2] Fix overflow errors in /proc/sys/net/ipv4/neigh/ Francesco Fusco
2013-07-24  8:39 ` [PATCH net-next 1/2] neigh: prevent overflowing params " Francesco Fusco
2013-07-26 21:22   ` David Miller
2013-07-24  8:39 ` [PATCH net-next 2/2] sysctl: range checking in do_proc_dointvec_ms_jiffies_conv Francesco Fusco
2013-07-24 14:35   ` Sergei Shtylyov
2013-07-26 21:23   ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).