Re: [PATCH net] xfrm: fix integer overflow in xfrm_replay_state_esn_len()
From: Simon Horman <horms@kernel.org>
Date: 2025-01-22 12:39:41
Also in:
kernel-janitors, lkml
On Tue, Jan 21, 2025 at 02:16:01PM +0300, Dan Carpenter wrote:
The problem is that "replay_esn->bmp_len" comes from the user and it's
a u32. The xfrm_replay_state_esn_len() function also returns a u32.
So if we choose a ->bmp_len which very high then the total will be
more than UINT_MAX and value will be truncated when we return. The
returned value will be smaller than expected causing problems in the
caller.
To fix this:
1) Use size_add() and size_mul(). This change is necessary for 32bit
systems.
2) Change the type of xfrm_replay_state_esn_len() and related variables
from u32 to size_t.
3) Remove the casts to (int). The size should never be negative.
Generally, values which come from size_add/mul() should stay as type
size_t and not be truncated to user fewer than all the bytes in a
unsigned long.
Cc: stable@vger.kernel.org
Fixes: 9736acf395d3 ("xfrm: Add basic infrastructure to support IPsec extended sequence numbers")
Signed-off-by: Dan Carpenter <redacted>
---
The one caller that I didn't modify was xfrm_sa_len(). That's a bit
complicated and also I'm kind of hoping that we don't handle user
controlled data in that function? The place where we definitely are
handling user data is in xfrm_alloc_replay_state_esn() and this patch
fixes that.Yes, that is a bit "complex". FWIIW, my opinion is that your patch is correct and it improves things - even if the end result may still have imperfections. And for that reason I'm in favour of it being accepted. Reviewed-by: Simon Horman <horms@kernel.org>