On Wed, Jan 22, 2025 at 04:16:48PM +0300, Dan Carpenter wrote: > On Wed, Jan 22, 2025 at 12:39:36PM +0000, Simon Horman wrote: > > > The one caller that I didn't modify was xfrm_sa_len(). That's a bit > > > complicated and also I'm kind of hoping that we don't handle user > > > controlled data in that function? The place where we definitely are > > > handling user data is in xfrm_alloc_replay_state_esn() and this patch > > > fixes that. > > > > Yes, that is a bit "complex". > > > > I don't have a reason to suspect xfrm_sa_len() but if we were to write > a paranoid version of it then I've written that draft below. I stole > Herbert's xfrm_kblen2klen() function[1]. Also the nlmsg_new() function > would need to be updated as well. > > https://lore.kernel.org/all/Z2KZC71JZ0QnrhfU@xxxxxxxxxxxxxxxxxxx/ > > regards, > dan carpenter > > diff --git a/include/net/netlink.h b/include/net/netlink.h > index e015ffbed819..ca7a8152e6d4 100644 > --- a/include/net/netlink.h > +++ b/include/net/netlink.h > @@ -1015,6 +1015,8 @@ static inline struct nlmsghdr *nlmsg_put_answer(struct sk_buff *skb, > */ > static inline struct sk_buff *nlmsg_new(size_t payload, gfp_t flags) > { > + if (payload > INT_MAX) > + return NULL; > return alloc_skb(nlmsg_total_size(payload), flags); > } Actually, this chunk is necessary. Let me sent that by itself. regards, dan carpenter
