Replace IP6_SFLSIZE() with struct_size() helper in order to avoid any
potential type mistakes or integer overflows that, in the worst
scenario, could lead to heap overflows.
Signed-off-by: Gustavo A. R. Silva <[email protected]>
---
include/net/if_inet6.h | 3 ---
net/ipv6/mcast.c | 20 +++++++++++++-------
2 files changed, 13 insertions(+), 10 deletions(-)
diff --git a/include/net/if_inet6.h b/include/net/if_inet6.h
index 71bb4cc4d05d..42235c178b06 100644
--- a/include/net/if_inet6.h
+++ b/include/net/if_inet6.h
@@ -82,9 +82,6 @@ struct ip6_sf_socklist {
struct in6_addr sl_addr[];
};
-#define IP6_SFLSIZE(count) (sizeof(struct ip6_sf_socklist) + \
- (count) * sizeof(struct in6_addr))
-
#define IP6_SFBLOCK 10 /* allocate this many at once */
struct ipv6_mc_socklist {
diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
index 54ec163fbafa..cd951faa2fac 100644
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -447,7 +447,8 @@ int ip6_mc_source(int add, int omode, struct sock *sk,
if (psl)
count += psl->sl_max;
- newpsl = sock_kmalloc(sk, IP6_SFLSIZE(count), GFP_KERNEL);
+ newpsl = sock_kmalloc(sk, struct_size(newpsl, sl_addr, count),
+ GFP_KERNEL);
if (!newpsl) {
err = -ENOBUFS;
goto done;
@@ -457,7 +458,8 @@ int ip6_mc_source(int add, int omode, struct sock *sk,
if (psl) {
for (i = 0; i < psl->sl_count; i++)
newpsl->sl_addr[i] = psl->sl_addr[i];
- atomic_sub(IP6_SFLSIZE(psl->sl_max), &sk->sk_omem_alloc);
+ atomic_sub(struct_size(psl, sl_addr, psl->sl_max),
+ &sk->sk_omem_alloc);
kfree_rcu(psl, rcu);
}
psl = newpsl;
@@ -525,8 +527,9 @@ int ip6_mc_msfilter(struct sock *sk, struct group_filter *gsf,
goto done;
}
if (gsf->gf_numsrc) {
- newpsl = sock_kmalloc(sk, IP6_SFLSIZE(gsf->gf_numsrc),
- GFP_KERNEL);
+ newpsl = sock_kmalloc(sk, struct_size(newpsl, sl_addr,
+ gsf->gf_numsrc),
+ GFP_KERNEL);
if (!newpsl) {
err = -ENOBUFS;
goto done;
@@ -543,7 +546,8 @@ int ip6_mc_msfilter(struct sock *sk, struct group_filter *gsf,
newpsl->sl_count, newpsl->sl_addr, 0);
if (err) {
mutex_unlock(&idev->mc_lock);
- sock_kfree_s(sk, newpsl, IP6_SFLSIZE(newpsl->sl_max));
+ sock_kfree_s(sk, newpsl, struct_size(newpsl, sl_addr,
+ newpsl->sl_max));
goto done;
}
mutex_unlock(&idev->mc_lock);
@@ -559,7 +563,8 @@ int ip6_mc_msfilter(struct sock *sk, struct group_filter *gsf,
if (psl) {
ip6_mc_del_src(idev, group, pmc->sfmode,
psl->sl_count, psl->sl_addr, 0);
- atomic_sub(IP6_SFLSIZE(psl->sl_max), &sk->sk_omem_alloc);
+ atomic_sub(struct_size(psl, sl_addr, psl->sl_max),
+ &sk->sk_omem_alloc);
kfree_rcu(psl, rcu);
} else {
ip6_mc_del_src(idev, group, pmc->sfmode, 0, NULL, 0);
@@ -2607,7 +2612,8 @@ static int ip6_mc_leave_src(struct sock *sk, struct ipv6_mc_socklist *iml,
err = ip6_mc_del_src(idev, &iml->addr, iml->sfmode,
psl->sl_count, psl->sl_addr, 0);
RCU_INIT_POINTER(iml->sflist, NULL);
- atomic_sub(IP6_SFLSIZE(psl->sl_max), &sk->sk_omem_alloc);
+ atomic_sub(struct_size(psl, sl_addr, psl->sl_max),
+ &sk->sk_omem_alloc);
kfree_rcu(psl, rcu);
}
--
2.27.0
On 8/4/21 11:43 PM, Gustavo A. R. Silva wrote:
> Replace IP6_SFLSIZE() with struct_size() helper in order to avoid any
> potential type mistakes or integer overflows that, in the worst
> scenario, could lead to heap overflows.
>
> Signed-off-by: Gustavo A. R. Silva <[email protected]>
> ---
> include/net/if_inet6.h | 3 ---
> net/ipv6/mcast.c | 20 +++++++++++++-------
> 2 files changed, 13 insertions(+), 10 deletions(-)
>
> diff --git a/include/net/if_inet6.h b/include/net/if_inet6.h
> index 71bb4cc4d05d..42235c178b06 100644
> --- a/include/net/if_inet6.h
> +++ b/include/net/if_inet6.h
> @@ -82,9 +82,6 @@ struct ip6_sf_socklist {
> struct in6_addr sl_addr[];
> };
>
> -#define IP6_SFLSIZE(count) (sizeof(struct ip6_sf_socklist) + \
> - (count) * sizeof(struct in6_addr))
> -
> #define IP6_SFBLOCK 10 /* allocate this many at once */
>
> struct ipv6_mc_socklist {
> diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
> index 54ec163fbafa..cd951faa2fac 100644
> --- a/net/ipv6/mcast.c
> +++ b/net/ipv6/mcast.c
> @@ -447,7 +447,8 @@ int ip6_mc_source(int add, int omode, struct sock *sk,
>
> if (psl)
> count += psl->sl_max;
> - newpsl = sock_kmalloc(sk, IP6_SFLSIZE(count), GFP_KERNEL);
> + newpsl = sock_kmalloc(sk, struct_size(newpsl, sl_addr, count),
> + GFP_KERNEL);
I find the current code is more readable.
Please only change IP6_SFLSIZE() definition maybe