Received: by 2002:ac0:aa62:0:0:0:0:0 with SMTP id w31-v6csp802621ima; Wed, 24 Oct 2018 09:24:15 -0700 (PDT) X-Google-Smtp-Source: AJdET5fuL+eIg/JjBx9mGrCZ235xUBWIGx5V8xM9azkWa3TUsYI3XuA1PHfYBOYJ0BiNsEvFEjkf X-Received: by 2002:a62:ff18:: with SMTP id b24-v6mr2627333pfn.101.1540398255688; Wed, 24 Oct 2018 09:24:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540398255; cv=none; d=google.com; s=arc-20160816; b=Gnfiz1AK+sJ0wsXkL7f7tcpXdR2uT8t7neOcGD05mtHHGd4lIUFs0cgb0/aooIsker c7C1sbaDdDZJ4IzW/gMYB0kANIA+jtZQK2QZbLX+ZjpuX7uC7ClB0O6uA+rltLJ+7uPT HBns72tIIEINlcn+xuCVoSO2822RSbxmnfdjpgzl1EKb7JiC4dd+hNa3LQwzPYd+OZ4U 4uiLRHaVVpXektudCXpQCxJMrdw8S0OPSJ5nyvNFU/BTdx4rgss9Ya/gtigJduCNvSvj vNtc6A2F+DFpCL+zBj1cyFyjWbFlLTgnC8S34IkPgcHL8mxqDS1823EGSeIu6SO5zDp1 k4bA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id; bh=WQebUNkl5Gqk28GKLHZXg8c5V7m41fKZ9/fMl23Qvp4=; b=RWrNzqPHC81bSawLh9Fs3LWDllzmW9ZNaBtyHoKJE81y+135sFdsvkCmIteJMPj1rj rZBppyzF9XirshS+vgyakpN/OpQom63fclXrFCJNAcIRE+5MJE65fJhqeRZBXTo3iOE8 Cx0fJGfz/nmNuSD9cHTAtTjCmsBhPOOPJO3ga4xI/ey27bSi4nq2oCH7Oag+3VjhPtO6 DldrHl2eyOJCc4UGk6AcRynIFaykfKVpjNYKSpPznrRBMx8eeBFBl22l4l6D5l5SHicD j0oBhTvL3BiH3js4lV5d1eoNH3PNKKyNGdg7cX++dgekWX+4vImAKPGKQCBJHKEG8ByM 4cNQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r3-v6si5214562pga.321.2018.10.24.09.24.00; Wed, 24 Oct 2018 09:24:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727000AbeJYAwH (ORCPT + 99 others); Wed, 24 Oct 2018 20:52:07 -0400 Received: from smtprelay0028.hostedemail.com ([216.40.44.28]:51566 "EHLO smtprelay.hostedemail.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726433AbeJYAwH (ORCPT ); Wed, 24 Oct 2018 20:52:07 -0400 Received: from filter.hostedemail.com (clb03-v110.bra.tucows.net [216.40.38.60]) by smtprelay06.hostedemail.com (Postfix) with ESMTP id 2065918224D7B; Wed, 24 Oct 2018 16:23:23 +0000 (UTC) X-Session-Marker: 6A6F6540706572636865732E636F6D X-Spam-Summary: 2,0,0,,d41d8cd98f00b204,joe@perches.com,:::::::::::::::,RULES_HIT:41:355:379:599:960:973:988:989:1260:1277:1311:1313:1314:1345:1359:1437:1515:1516:1518:1534:1541:1593:1594:1711:1730:1747:1777:1792:2393:2553:2559:2562:2828:3138:3139:3140:3141:3142:3353:3622:3865:3866:3867:3868:3870:3871:3872:3873:4321:5007:6630:7903:9707:10004:10400:10848:11232:11658:11914:12663:12740:12760:12895:13069:13311:13357:13439:14096:14097:14659:14721:21080:21627:21795:30054:30070:30090:30091,0,RBL:47.151.153.53:@perches.com:.lbl8.mailshell.net-62.14.0.100 64.201.201.201,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fn,MSBL:0,DNSBL:neutral,Custom_rules:0:0:0,LFtime:29,LUA_SUMMARY:none X-HE-Tag: whip33_1d4086329a056 X-Filterd-Recvd-Size: 2285 Received: from XPS-9350.home (unknown [47.151.153.53]) (Authenticated sender: joe@perches.com) by omf10.hostedemail.com (Postfix) with ESMTPA; Wed, 24 Oct 2018 16:23:20 +0000 (UTC) Message-ID: <60f08664db5751949ddfb34666bfda77f99682f1.camel@perches.com> Subject: Re: [PATCH] Change judgment len position From: Joe Perches To: Willy Tarreau , Wang Hai Cc: edumazet@google.com, davem@davemloft.net, kuznet@ms2.inr.ac.ru, yoshfuji@linux-ipv6.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Date: Wed, 24 Oct 2018 09:23:19 -0700 In-Reply-To: <20181024155739.GA25314@1wt.eu> References: <20181024154729.5312-1-wanghaifine@gmail.com> <20181024155739.GA25314@1wt.eu> Content-Type: text/plain; charset="ISO-8859-1" User-Agent: Evolution 3.30.1-1build1 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2018-10-24 at 17:57 +0200, Willy Tarreau wrote: > On Wed, Oct 24, 2018 at 11:47:29PM +0800, Wang Hai wrote: > > To determine whether len is less than zero, it should be put before > > the function min_t, because the return value of min_t is not likely > > to be less than zero. > > Huh? First, the <0 test is made on "len", not "min_t", so it still > is signed. Second, you're in fact completely removing the test here, > look : > > > struct net *net = sock_net(sk); > > int val, len; > > > > + len = min_t(unsigned int, len, sizeof(int)); > > + > > len is used uninitialized here, so the result is undefined. > > > if (get_user(len, optlen)) > > return -EFAULT; > > Then it gets overridden by get_user() > > > - len = min_t(unsigned int, len, sizeof(int)); > > - > > Then its positive values are not bounded anymore since you moved the test. Not quite. Problem here is negative values are tested as large positive values and limited to 4 ie: ien len = -1, len = min_t(unsigned int, len, sizeof(int)); len is now 4 > > if (len < 0) > > return -EINVAL; So this test len < 0 could be moved up above min_t > Then only negative values are dropped. So unless I'm missing something > obvious, you're just allowing len to be as large as 2GB-1 based on the > user's fed optlen. > > Am I wrong ? > > Willychee