[PATCH] NET: catch signed nla_len() retval in tcf_simp_init()

[PATCH] NET: catch signed nla_len() retval in tcf_simp_init()

[Roel Kluin]

'datalen' is unsigned, use 'ret' instead to catch a negative return value.

Signed-off-by: Roel Kluin <12o3l@tiscali.nl>
---
diff --git a/net/sched/act_simple.c b/net/sched/act_simple.c
index fbde461..b78d015 100644
--- a/net/sched/act_simple.c
+++ b/net/sched/act_simple.c
@@ -114,9 +114,10 @@ static int tcf_simp_init(struct nlattr *nla, struct nlattr *est,
 	if (defdata == NULL)
 		return -EINVAL;
 
-	datalen = nla_len(tb[TCA_DEF_DATA]);
-	if (datalen <= 0)
+	ret = nla_len(tb[TCA_DEF_DATA]);
+	if (ret <= 0)
 		return -EINVAL;
+	datalen = ret;
 
 	pc = tcf_hash_check(parm->index, a, bind, &simp_hash_info);
 	if (!pc) {

Re: [PATCH] NET: catch signed nla_len() retval in tcf_simp_init()

[David Miller]

From: Roel Kluin <12o3l@tiscali.nl>
Date: Thu, 17 Apr 2008 05:33:21 +0200

> 'datalen' is unsigned, use 'ret' instead to catch a negative return value.
> 
> Signed-off-by: Roel Kluin <12o3l@tiscali.nl>
> ---
> diff --git a/net/sched/act_simple.c b/net/sched/act_simple.c
> index fbde461..b78d015 100644
> --- a/net/sched/act_simple.c
> +++ b/net/sched/act_simple.c
> @@ -114,9 +114,10 @@ static int tcf_simp_init(struct nlattr *nla, struct nlattr *est,
>  	if (defdata == NULL)
>  		return -EINVAL;
>  
> -	datalen = nla_len(tb[TCA_DEF_DATA]);
> -	if (datalen <= 0)
> +	ret = nla_len(tb[TCA_DEF_DATA]);
> +	if (ret <= 0)
>  		return -EINVAL;
> +	datalen = ret;
>  
>  	pc = tcf_hash_check(parm->index, a, bind, &simp_hash_info);
>  	if (!pc) {

This clobbers 'ret' which is compared to ACT_P_CREATED
later in the function.  If the !pc branch below this code
is not taken, ret must be left at it's initial value of
zero.  Now, it will take on some non-zero positive value
which is not correct.

Re: [PATCH] NET: catch signed nla_len() retval in tcf_simp_init()

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 1274 bytes --]

David Miller wrote:
> From: Roel Kluin <12o3l@tiscali.nl>
> Date: Thu, 17 Apr 2008 05:33:21 +0200
> 
>> 'datalen' is unsigned, use 'ret' instead to catch a negative return value.
>>
>> Signed-off-by: Roel Kluin <12o3l@tiscali.nl>
>> ---
>> diff --git a/net/sched/act_simple.c b/net/sched/act_simple.c
>> index fbde461..b78d015 100644
>> --- a/net/sched/act_simple.c
>> +++ b/net/sched/act_simple.c
>> @@ -114,9 +114,10 @@ static int tcf_simp_init(struct nlattr *nla, struct nlattr *est,
>>  	if (defdata == NULL)
>>  		return -EINVAL;
>>  
>> -	datalen = nla_len(tb[TCA_DEF_DATA]);
>> -	if (datalen <= 0)
>> +	ret = nla_len(tb[TCA_DEF_DATA]);
>> +	if (ret <= 0)
>>  		return -EINVAL;
>> +	datalen = ret;
>>  
>>  	pc = tcf_hash_check(parm->index, a, bind, &simp_hash_info);
>>  	if (!pc) {
> 
> This clobbers 'ret' which is compared to ACT_P_CREATED
> later in the function.  If the !pc branch below this code
> is not taken, ret must be left at it's initial value of
> zero.  Now, it will take on some non-zero positive value
> which is not correct.

The change is also unnecessary because the attribute was
already validated and the length can not be less than zero.

This patch changes it to only check for zero length.

Signed-off-by: Patrick McHardy <kaber@trash.net>


[-- Attachment #2: x --]
[-- Type: text/plain, Size: 417 bytes --]

diff --git a/net/sched/act_simple.c b/net/sched/act_simple.c
index fbde461..64b2d13 100644
--- a/net/sched/act_simple.c
+++ b/net/sched/act_simple.c
@@ -115,7 +115,7 @@ static int tcf_simp_init(struct nlattr *nla, struct nlattr *est,
 		return -EINVAL;
 
 	datalen = nla_len(tb[TCA_DEF_DATA]);
-	if (datalen <= 0)
+	if (datalen == 0)
 		return -EINVAL;
 
 	pc = tcf_hash_check(parm->index, a, bind, &simp_hash_info);

Re: [PATCH] NET: catch signed nla_len() retval in tcf_simp_init()

[jamal]

On Thu, 2008-17-04 at 06:55 +0200, Patrick McHardy wrote:

> The change is also unnecessary because the attribute was
> already validated and the length can not be less than zero.

Since act_simple is an academic example:
I think that a better solution is to add TCA_DEF_DATA (which is a
string) to the nla_policy. nla_policy is defined but at the moment it is
not used in the call to nla_parse_nested() - might as well use it.

Roel, would you like to take a crack at that? You will need to define
the max size of the string that TCA_DEF_DATA can hold (if you want to do
it cleanly then define it in include/linux/tc_act/tc_defact.h). This MAX
size will appear in the nla_policy.

cheers,
jamal

Re: [PATCH] NET: catch signed nla_len() retval in tcf_simp_init()

[Patrick McHardy]

jamal wrote:
> On Thu, 2008-17-04 at 06:55 +0200, Patrick McHardy wrote:
> 
>> The change is also unnecessary because the attribute was
>> already validated and the length can not be less than zero.
> 
> Since act_simple is an academic example:
> I think that a better solution is to add TCA_DEF_DATA (which is a
> string) to the nla_policy. nla_policy is defined but at the moment it is
> not used in the call to nla_parse_nested() - might as well use it.

Basic validity checks are always performed. But I agree, better
to provide a good example.

Re: [PATCH] NET: catch signed nla_len() retval in tcf_simp_init()

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Thu, 17 Apr 2008 06:55:35 +0200

> The change is also unnecessary because the attribute was
> already validated and the length can not be less than zero.
> 
> This patch changes it to only check for zero length.
> 
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Even though there have been discussions to do other things,
this patch moves things in the forward direction so I have
applied it.

Thanks.