Received: by 10.192.165.148 with SMTP id m20csp4844194imm;
        Tue, 1 May 2018 05:01:57 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZprlER+C6FGoeUuvXT9lupC0PrRzGgDPCAiNP5Uv9dF+GhkeIUJEcUz3LWEhA84FOoqa87u
X-Received: by 2002:a65:5001:: with SMTP id f1-v6mr378689pgo.135.1525176117194;
        Tue, 01 May 2018 05:01:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525176117; cv=none;
        d=google.com; s=arc-20160816;
        b=Jue+yc+0t2PCk77MmK2gcnM2vaMO4u+L8ufv0hwVuJSBkWRTN2EXzEhDlmXil1VnhH
         O3H9fek++W6C1aKG74/vAhud+YiRb7fPnceup/O5gl221DIhh5MPIYHMMKYZVvEhC/D9
         0SkdQ5QYnlLt8MY5fuH6gOL9ifA0VrTy4B5yHBBFkY1T7CRyQ87Xd/wE29EeVNia6Cg0
         AWY4c8c7h/8K7cYsWbKBE4yAaPYwqdWqz8ZOTLCNS+gkQV7OoIwXI0GzVMFQjMyJoZSV
         Nrb6jmYGM/bs93+p3AG5+72v+tMvexHClZoT/YdRSKKPfDvg8t9a6qIbdz8sHAzmOOxH
         iXiw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:content-transfer-encoding
         :spamdiagnosticmetadata:spamdiagnosticoutput:content-language
         :accept-language:in-reply-to:references:message-id:date:thread-index
         :thread-topic:subject:cc:to:from:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=G2V8edbCXjDYVKHHgunIJ83QvHbBpQnWDmmSr3sFk5M=;
        b=eu/sht+2ls9MkQ8POnuTWUualS70fPo/4mgYME/WGyEgV8KEsbzoADEUqx4FHZ8mUD
         86m8G8SpkeWIcpXx8hnEiMbU1ev0itAl5OU6nUdrwkLb+ZQNGcgiZcZegseKLbwcEey8
         bOiejJnQ/F9UHEG62KcmGreJ3cSvG33nvi8OVl1b3Nn2C3itMbzPVfAyefqGZPArbQrX
         IzWSLEjwlXl4bWCdgYhOJsLyv4miqNbZ+/wFTlHMHygy7J/FFY2xvQ+XutgFOUmYImK1
         DvweWoN+RlJ/y1K2B3DnBBALuk5u8CERVM+CXSl7R9bQXjtP9phaJZ/27r6PyLHAeoxT
         wRlQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@ericsson.com header.s=mailgw201801 header.b=Lde66WiV;
       dkim=pass header.i=@ericsson.com header.s=selector1 header.b=GFK22haS;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ericsson.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id x12si9022099pfn.254.2018.05.01.05.01.42;
        Tue, 01 May 2018 05:01:57 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@ericsson.com header.s=mailgw201801 header.b=Lde66WiV;
       dkim=pass header.i=@ericsson.com header.s=selector1 header.b=GFK22haS;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ericsson.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754937AbeEAMB3 (ORCPT <rfc822;chaneybenjamini@gmail.com>
        + 99 others); Tue, 1 May 2018 08:01:29 -0400
Received: from sesbmg22.ericsson.net ([193.180.251.48]:51344 "EHLO
        sesbmg22.ericsson.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1754283AbeEAMB2 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 1 May 2018 08:01:28 -0400
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple;
        q=dns/txt; i=@ericsson.com; t=1525176086;
        h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type:
        Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:
        Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:
        List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
        bh=dt2xh2uzfR3IyfhhLIeh/P/bnOFTEs3Q4biPMH3IEaA=;
        b=Lde66WiVud5WTaG95HqBAPf+ENx446ZWjWW972wiFX5q4U4GKQ3O+bH47357ZEXo
        hyYKl/LY6qxDx2/op4WDzMe4t98BkDBYt4ksXjbf4wx42mUXVPGTeIFDJpMcgA1v
        1CRET30KSWkBu3XEoMDupwf3Phzo62Va6tTBKzGoKQg=;
X-AuditID: c1b4fb30-0dfff70000007681-e9-5ae857154489
Received: from ESESSHC004.ericsson.se (Unknown_Domain [153.88.183.30])
        by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id DA.95.30337.51758EA5; Tue,  1 May 2018 14:01:26 +0200 (CEST)
Received: from ESESSMB503.ericsson.se (153.88.183.164) by
 ESESSHC004.ericsson.se (153.88.183.30) with Microsoft SMTP Server (TLS) id
 14.3.382.0; Tue, 1 May 2018 14:01:25 +0200
Received: from ESESSMB503.ericsson.se (153.88.183.164) by
 ESESSMB503.ericsson.se (153.88.183.164) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.1466.3; Tue, 1 May 2018 14:01:25 +0200
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (153.88.183.157)
 by ESESSMB503.ericsson.se (153.88.183.164) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.1466.3 via Frontend Transport; Tue, 1 May 2018 14:01:25 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com;
 s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=G2V8edbCXjDYVKHHgunIJ83QvHbBpQnWDmmSr3sFk5M=;
 b=GFK22haSDKi8XIY/9qRasW3rc3DN1LosFYy3Q1adpe6BnReQVBNe/7bjrx+CoDTZO5EQsesecAjf30PuZOxiUJ54MWlPpJ0RVmsLcO6fADIlsAKT0DjeKGsai/n17/AQyJTXEB/RzcQFK9a8+GvzSYTiYYqXEDthTHwrIIPS2mE=
Received: from BN6PR15MB1553.namprd15.prod.outlook.com (10.172.152.20) by
 BN6PR15MB1170.namprd15.prod.outlook.com (10.172.205.136) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.715.18; Tue, 1 May 2018 12:01:23 +0000
Received: from BN6PR15MB1553.namprd15.prod.outlook.com
 ([fe80::7d8f:bcd9:8b1e:b0be]) by BN6PR15MB1553.namprd15.prod.outlook.com
 ([fe80::7d8f:bcd9:8b1e:b0be%10]) with mapi id 15.20.0715.018; Tue, 1 May 2018
 12:01:23 +0000
From:   Jon Maloy <jon.maloy@ericsson.com>
To:     Wenwen Wang <wang6495@umn.edu>
CC:     Kangjie Lu <kjlu@umn.edu>, Ying Xue <ying.xue@windriver.com>,
        "David S. Miller" <davem@davemloft.net>,
        "open list:TIPC NETWORK LAYER" <netdev@vger.kernel.org>,
        "open list:TIPC NETWORK LAYER" 
        <tipc-discussion@lists.sourceforge.net>,
        open list <linux-kernel@vger.kernel.org>
Subject: RE: [PATCH] tipc: fix a potential missing-check bug
Thread-Topic: [PATCH] tipc: fix a potential missing-check bug
Thread-Index: AQHT4QSepsg7SNyeDE2wQK/XNU8Hd6QavkyQ
Date:   Tue, 1 May 2018 12:01:22 +0000
Message-ID: <BN6PR15MB1553F08DDF8D0F1356AA72EA9A810@BN6PR15MB1553.namprd15.prod.outlook.com>
References: <1525148761-11091-1-git-send-email-wang6495@umn.edu>
In-Reply-To: <1525148761-11091-1-git-send-email-wang6495@umn.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [24.225.233.31]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;BN6PR15MB1170;7:pjbeJm1pB8vWdahiC/IuW2W4sMAqlfO740uLdKIHScMlXKaJKL1skKDlVpfTxJz/+SP9eL964W58hGyxNXjOuttI/B/cxelu8br93B506VOEuB47ZITMn5bHT+49yTJnjtAGefKHdrWuW2/ITesIeFX8R0ToaXYpUX+FfhLX8liwqVV5yIeIAOWWPW0+FaJvxuKfs8VEb3RQ7+gJbaCS0/5+1abuYBFJ4hX0xu/V0E60+mnfukPKL7CuCIvuQIoq
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1170;
x-ms-traffictypediagnostic: BN6PR15MB1170:
x-microsoft-antispam-prvs: <BN6PR15MB117094F84D5F771EDB3CA97E9A810@BN6PR15MB1170.namprd15.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(37575265505322)(143289334528602)(192374486261705)(9452136761055)(42262312472803)(8104003914727);
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(10201501046)(3002001)(3231254)(944501410)(52105095)(93006095)(93001095)(6041310)(20161123562045)(20161123564045)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011);SRVR:BN6PR15MB1170;BCL:0;PCL:0;RULEID:;SRVR:BN6PR15MB1170;
x-forefront-prvs: 06592CCE58
x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(396003)(39380400002)(366004)(376002)(346002)(39860400002)(13464003)(199004)(189003)(55674003)(3280700002)(25786009)(81156014)(6916009)(476003)(8676002)(6116002)(305945005)(186003)(8936002)(2906002)(59450400001)(7736002)(81166006)(5660300001)(3846002)(486006)(54906003)(74316002)(3660700001)(316002)(478600001)(44832011)(229853002)(7696005)(2900100001)(446003)(105586002)(76176011)(53936002)(53546011)(55016002)(2171002)(33656002)(86362001)(5250100002)(6246003)(66066001)(68736007)(6506007)(26005)(102836004)(6346003)(106356001)(6436002)(14454004)(11346002)(9686003)(99286004)(4326008)(97736004);DIR:OUT;SFP:1101;SCL:1;SRVR:BN6PR15MB1170;H:BN6PR15MB1553.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate
 permitted sender hosts)
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=jon.maloy@ericsson.com; 
x-microsoft-antispam-message-info: QTXv82jcGMqLUBcZXtofmjvXlDOat6H0OnMJ6VKgjZ8l0N9hL9ppPIPuHNJrhLWrmhXnmLttmYHZ3tHw21Y7VY9Vl+96qQYJphTLxsKgToBDQRRZs+tenaSKasc2BZM0O5xvWxXSOfmDfnJxjvSbUE4gtZE2rEyI6UO1GBw5ZVMjj0tXsVtJJP5wrFtCFijK
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: b1f42af4-b6f0-4a03-1b22-08d5af5b422f
X-MS-Exchange-CrossTenant-Network-Message-Id: b1f42af4-b6f0-4a03-1b22-08d5af5b422f
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 May 2018 12:01:22.8299
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1170
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA01Sa0iTURjufJf5ORqclpcXS8HRj/Cu9GOJinZdCBJUmKOwpR9q3jeVlCAz
        MzEtkVlpK6eluDBTNzU1BDXFhmZoeSlJSldOC23iJUvN7VvQv+f2Pu954TCksJ52YuKS0lh5
        kixBxONTZWdbXTwdwmelPjlv+WLVUC4l7n80aCMeaVfxxH1qB7Fu6JJYr/9Ei6fHxshgG4lO
        M0FIOtRLhOR9ZY6NZKnJRfJc10ycpKX8gGg2IS6DlXsHXeDHKucmeSkPHC/P1hjobLQhLEC2
        DOAD0PNTRxQgPiPErxDczl224YgWQevn61ayjKCpuB9x5DEBRo2WNhMKmwgYGJiwxkoI2Ghc
        JDnyBUHzsppnXsPD+8F4Nx+ZsR0WQd5ovmWcxCoC1lXztNnYjQNgoW+K4EKBoGys39aZbewH
        64NSs0zhfXCnqNYSF+BzMNo1ZekU4mBoGChE5rgtDoH7Bg+zjLADrOrrLI0kdoQPMxUEdzWG
        Jy+HSA7bg3F6k+awKww1VFl1ZxiuuGU5GbCOAMNIr3XYExZLS0nOaEHQudLM4ww3mChutjbF
        Q8t4Oc2FChBsLd+0VlWTkP+xhOJSe6HfVEQXI9/y/57IYQ9Qd5h4HHaHmsp5stxy9S54XTZD
        qRH1FNkrWMXFxBg/Py9WHhelUCQneSWxaU1o+xd16X77vEDGbyHdCDNItFPQcGRWKqRlGYrM
        xG4EDCmyE2jyv0qFgmhZZhYrT46Upyewim60h6FEjgJxmFYqxDGyNDaeZVNY+T+XYGydspG3
        p2Zae9y7LVU1UfhsnDqm9DvvpDEc7TrofyL0zbV2/9XQ9JbYtULRGX11aGrt5q/ww7ecTfVh
        c1Rej7s0MGAy5aEgfkX77oomPIxfFWc7m6Ks61w4pbzx409UxOlIg0Q5nLe2QxAws9bb1phu
        Clv/ntPS55p9aCvr3tWgiPIijYhSxMp83Ui5QvYX7iN1/kEDAAA=
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org



> -----Original Message-----
> From: Wenwen Wang [mailto:wang6495@umn.edu]
> Sent: Tuesday, May 01, 2018 00:26
> To: Wenwen Wang <wang6495@umn.edu>
> Cc: Kangjie Lu <kjlu@umn.edu>; Jon Maloy <jon.maloy@ericsson.com>; Ying
> Xue <ying.xue@windriver.com>; David S. Miller <davem@davemloft.net>;
> open list:TIPC NETWORK LAYER <netdev@vger.kernel.org>; open list:TIPC
> NETWORK LAYER <tipc-discussion@lists.sourceforge.net>; open list <linux-
> kernel@vger.kernel.org>
> Subject: [PATCH] tipc: fix a potential missing-check bug
>=20
> In tipc_link_xmit(), the member field "len" of l->backlog[imp] must be le=
ss
> than the member field "limit" of l->backlog[imp] when imp is equal to
> TIPC_SYSTEM_IMPORTANCE. Otherwise, an error code, i.e., -ENOBUFS, is
> returned. This is enforced by the security check. However, at the end of
> tipc_link_xmit(), the length of "list" is added to l->backlog[imp].len wi=
thout
> any further check. This can potentially cause unexpected values for
> l->backlog[imp].len. If imp is equal to TIPC_SYSTEM_IMPORTANCE and the
> original value of l->backlog[imp].len is less than l->backlog[imp].limit,=
 after
> this addition, l->backlog[imp] could be larger than
> l->backlog[imp].limit.=20

It can, but only once. That is the intention with allowing oversubscription=
. This is expected and permitted.
At next sending attempt, if the send queue has not been reduced in the mean=
time, the link will be reset, as intended.

> That means the security check can potentially be
> bypassed,  especially when an adversary can control the length of "list".

The length of 'list' is entirely controlled by TIPC itself, either by the s=
ocket layer (where length  always is 1 for this type of messages) or
 name_dist, In the latter case the length is also 1, except at first link s=
etup, when there guaranteed is no congestion anyway.

I appreciate your interest, but this patch is not needed.

BR
///jon

>=20
> This patch performs such a check after the modification to
> l->backlog[imp].len (if imp is TIPC_SYSTEM_IMPORTANCE) to avoid such
> security issues. An error code will be returned if an unexpected value of
> l->backlog[imp].len is generated.
>=20
> Signed-off-by: Wenwen Wang <wang6495@umn.edu>
> ---
>  net/tipc/link.c | 5 +++++
>  1 file changed, 5 insertions(+)
>=20
> diff --git a/net/tipc/link.c b/net/tipc/link.c index 695acb7..62972fa 100=
644
> --- a/net/tipc/link.c
> +++ b/net/tipc/link.c
> @@ -948,6 +948,11 @@ int tipc_link_xmit(struct tipc_link *l, struct
> sk_buff_head *list,
>  			continue;
>  		}
>  		l->backlog[imp].len +=3D skb_queue_len(list);
> +		if (imp =3D=3D TIPC_SYSTEM_IMPORTANCE &&
> +		    l->backlog[imp].len >=3D l->backlog[imp].limit) {
> +			pr_warn("%s<%s>, link overflow", link_rst_msg, l-
> >name);
> +			return -ENOBUFS;
> +		}
>  		skb_queue_splice_tail_init(list, backlogq);
>  	}
>  	l->snd_nxt =3D seqno;
> --
> 2.7.4