* [PATCH net-next v2 0/2] Fix overflow errors in /proc/sys/net/ipv4/neigh/
@ 2013-07-24 14:52 Francesco Fusco
2013-07-24 14:52 ` [PATCH net-next v2 1/2] neigh: prevent overflowing params " Francesco Fusco
2013-07-24 14:52 ` [PATCH net-next v2 2/2] sysctl: range checking in do_proc_dointvec_ms_jiffies_conv Francesco Fusco
0 siblings, 2 replies; 3+ messages in thread
From: Francesco Fusco @ 2013-07-24 14:52 UTC (permalink / raw)
To: davem; +Cc: netdev
These two patches fix possible overflow errors in /proc/sys/net/ipv4/neigh/.
Francesco Fusco (2):
neigh: prevent overflowing params in /proc/sys/net/ipv4/neigh/
sysctl: range checking in do_proc_dointvec_ms_jiffies_conv
kernel/sysctl.c | 6 +++++-
net/core/neighbour.c | 29 ++++++++++++++++++++++-------
2 files changed, 27 insertions(+), 8 deletions(-)
--
1.8.3.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH net-next v2 1/2] neigh: prevent overflowing params in /proc/sys/net/ipv4/neigh/
2013-07-24 14:52 [PATCH net-next v2 0/2] Fix overflow errors in /proc/sys/net/ipv4/neigh/ Francesco Fusco
@ 2013-07-24 14:52 ` Francesco Fusco
2013-07-24 14:52 ` [PATCH net-next v2 2/2] sysctl: range checking in do_proc_dointvec_ms_jiffies_conv Francesco Fusco
1 sibling, 0 replies; 3+ messages in thread
From: Francesco Fusco @ 2013-07-24 14:52 UTC (permalink / raw)
To: davem; +Cc: netdev
Without this patch, the fields app_solicit, gc_thresh1, gc_thresh2,
gc_thresh3, proxy_qlen, ucast_solicit, mcast_solicit could have
assumed negative values when setting large numbers.
Signed-off-by: Francesco Fusco <ffusco@redhat.com>
---
net/core/neighbour.c | 29 ++++++++++++++++++++++-------
1 file changed, 22 insertions(+), 7 deletions(-)
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index b7de821..9232c68 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -2767,6 +2767,7 @@ EXPORT_SYMBOL(neigh_app_ns);
#ifdef CONFIG_SYSCTL
static int zero;
+static int int_max = INT_MAX;
static int unres_qlen_max = INT_MAX / SKB_TRUESIZE(ETH_FRAME_LEN);
static int proc_unres_qlen(struct ctl_table *ctl, int write,
@@ -2819,19 +2820,25 @@ static struct neigh_sysctl_table {
.procname = "mcast_solicit",
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = proc_dointvec,
+ .extra1 = &zero,
+ .extra2 = &int_max,
+ .proc_handler = proc_dointvec_minmax,
},
[NEIGH_VAR_UCAST_PROBE] = {
.procname = "ucast_solicit",
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = proc_dointvec,
+ .extra1 = &zero,
+ .extra2 = &int_max,
+ .proc_handler = proc_dointvec_minmax,
},
[NEIGH_VAR_APP_PROBE] = {
.procname = "app_solicit",
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = proc_dointvec,
+ .extra1 = &zero,
+ .extra2 = &int_max,
+ .proc_handler = proc_dointvec_minmax,
},
[NEIGH_VAR_RETRANS_TIME] = {
.procname = "retrans_time",
@@ -2874,7 +2881,9 @@ static struct neigh_sysctl_table {
.procname = "proxy_qlen",
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = proc_dointvec,
+ .extra1 = &zero,
+ .extra2 = &int_max,
+ .proc_handler = proc_dointvec_minmax,
},
[NEIGH_VAR_ANYCAST_DELAY] = {
.procname = "anycast_delay",
@@ -2916,19 +2925,25 @@ static struct neigh_sysctl_table {
.procname = "gc_thresh1",
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = proc_dointvec,
+ .extra1 = &zero,
+ .extra2 = &int_max,
+ .proc_handler = proc_dointvec_minmax,
},
[NEIGH_VAR_GC_THRESH2] = {
.procname = "gc_thresh2",
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = proc_dointvec,
+ .extra1 = &zero,
+ .extra2 = &int_max,
+ .proc_handler = proc_dointvec_minmax,
},
[NEIGH_VAR_GC_THRESH3] = {
.procname = "gc_thresh3",
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = proc_dointvec,
+ .extra1 = &zero,
+ .extra2 = &int_max,
+ .proc_handler = proc_dointvec_minmax,
},
{},
},
--
1.8.3.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH net-next v2 2/2] sysctl: range checking in do_proc_dointvec_ms_jiffies_conv
2013-07-24 14:52 [PATCH net-next v2 0/2] Fix overflow errors in /proc/sys/net/ipv4/neigh/ Francesco Fusco
2013-07-24 14:52 ` [PATCH net-next v2 1/2] neigh: prevent overflowing params " Francesco Fusco
@ 2013-07-24 14:52 ` Francesco Fusco
1 sibling, 0 replies; 3+ messages in thread
From: Francesco Fusco @ 2013-07-24 14:52 UTC (permalink / raw)
To: davem; +Cc: netdev, Andrew Morton, linux-kernel
When (integer) sysctl values are expressed in ms and have to be
represented internally as jiffies. The msecs_to_jiffies function
returns an unsigned long, which gets assigned to the integer.
This patch prevents the value to be assigned if bigger than
INT_MAX, done in a similar way as in cba9f3 ("Range checking in
do_proc_dointvec_(userhz_)jiffies_conv").
Signed-off-by: Francesco Fusco <ffusco@redhat.com>
CC: Andrew Morton <akpm@linux-foundation.org>
CC: linux-kernel@vger.kernel.org
---
v1 => v2
- fix style suggested by Sergei Shtylyov
kernel/sysctl.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index ac09d98..07f6fc4 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2346,7 +2346,11 @@ static int do_proc_dointvec_ms_jiffies_conv(bool *negp, unsigned long *lvalp,
int write, void *data)
{
if (write) {
- *valp = msecs_to_jiffies(*negp ? -*lvalp : *lvalp);
+ unsigned long jif = msecs_to_jiffies(*negp ? -*lvalp : *lvalp);
+
+ if (jif > INT_MAX)
+ return 1;
+ *valp = (int)jif;
} else {
int val = *valp;
unsigned long lval;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-07-24 14:52 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-07-24 14:52 [PATCH net-next v2 0/2] Fix overflow errors in /proc/sys/net/ipv4/neigh/ Francesco Fusco
2013-07-24 14:52 ` [PATCH net-next v2 1/2] neigh: prevent overflowing params " Francesco Fusco
2013-07-24 14:52 ` [PATCH net-next v2 2/2] sysctl: range checking in do_proc_dointvec_ms_jiffies_conv Francesco Fusco
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).