Fri, Mar 01, 2024 at 04:12:24PM CET, Lena.Wang@xxxxxxxxxxxx wrote: >From: Lena Wang <lena.wang@xxxxxxxxxxxx> > >UBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts >that are out of bounds for their data type. > >vmlinux get_bitmap(b=75) + 712 ><net/netfilter/nf_conntrack_h323_asn1.c:0> >vmlinux decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, >level=134443100) + 1956 ><net/netfilter/nf_conntrack_h323_asn1.c:592> >vmlinux decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216 ><net/netfilter/nf_conntrack_h323_asn1.c:814> >vmlinux decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812 ><net/netfilter/nf_conntrack_h323_asn1.c:576> >vmlinux decode_choice(base=0xFFFFFFD008037280, level=0) + 1216 ><net/netfilter/nf_conntrack_h323_asn1.c:814> >vmlinux DecodeRasMessage() + 304 ><net/netfilter/nf_conntrack_h323_asn1.c:833> >vmlinux ras_help() + 684 ><net/netfilter/nf_conntrack_h323_main.c:1728> >vmlinux nf_confirm() + 188 ><net/netfilter/nf_conntrack_proto.c:137> > >Due to abnormal data in skb->data, the extension bitmap length >exceeds 32 when decoding ras message. Then get_bitmap uses the >length to make a shift operation. It will change into negative >after several loop. > >UBSAN load can detect a negative shift as an undefined behaviour >and reports an exception. > >So we should add the protection to avoid the length exceeding 32. >If it exceeds it will return out of range error and stop decoding >ras message. > >Signed-off-by: Lena Wang <lena.wang@xxxxxxxxxxxx> Missing "Fixes" tag, again...
