Thread (7 messages) 7 messages, 4 authors, 2025-01-24

Re: [PATCH net] net: netlink: prevent potential integer overflow in nlmsg_new()

From: Simon Horman <horms@kernel.org>
Date: 2025-01-22 15:51:36
Also in: kernel-janitors, lkml

On Wed, Jan 22, 2025 at 04:49:17PM +0300, Dan Carpenter wrote:
quoted hunk ↗ jump to hunk
The "payload" variable is type size_t, however the nlmsg_total_size()
function will a few bytes to it and then truncate the result to type
int.  That means that if "payload" is more than UINT_MAX the alloc_skb()
function might allocate a buffer which is smaller than intended.

Cc: stable@vger.kernel.org
Fixes: bfa83a9e03cf ("[NETLINK]: Type-safe netlink messages/attributes interface")
Signed-off-by: Dan Carpenter <redacted>
---
 include/net/netlink.h | 2 ++
 1 file changed, 2 insertions(+)
diff --git a/include/net/netlink.h b/include/net/netlink.h
index e015ffbed819..ca7a8152e6d4 100644
--- a/include/net/netlink.h
+++ b/include/net/netlink.h
@@ -1015,6 +1015,8 @@ static inline struct nlmsghdr *nlmsg_put_answer(struct sk_buff *skb,
  */
 static inline struct sk_buff *nlmsg_new(size_t payload, gfp_t flags)
 {
+	if (payload > INT_MAX)
+		return NULL;
 	return alloc_skb(nlmsg_total_size(payload), flags);
Hi Dan,

I wonder if this is sufficient.

If payload is INT_MAX then won't the call to nlmsg_msg_size() inside
nlmsg_total_size() overflow. And likewise, it feels that NLMSG_ALIGN
could overflow somehow.
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help