Thread (3 messages) 3 messages, 3 authors, 2025-03-12

Re: [PATCH v2 net] ipvs: prevent integer overflow in do_ip_vs_get_ctl()

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: 2025-03-12 14:48:51
Also in: kernel-janitors, lkml, lvs-devel, netfilter-devel

On Tue, Mar 11, 2025 at 07:50:44PM +0200, Julian Anastasov wrote:
	Hello,

On Mon, 10 Mar 2025, Dan Carpenter wrote:
quoted
The get->num_services variable is an unsigned int which is controlled by
the user.  The struct_size() function ensures that the size calculation
does not overflow an unsigned long, however, we are saving the result to
an int so the calculation can overflow.

Both "len" and "get->num_services" come from the user.  This check is
just a sanity check to help the user and ensure they are using the API
correctly.  An integer overflow here is not a big deal.  This has no
security impact.

Save the result from struct_size() type size_t to fix this integer
overflow bug.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Dan Carpenter <redacted>
	Looks good to me, thanks!

Acked-by: Julian Anastasov <ja@ssi.bg>

	Pablo, you can apply it to the nf tree.
Done, thanks Julian.
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help