Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp3354458pxb;
        Mon, 4 Apr 2022 14:27:29 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwcMgLDVNZy3SC3yaphyMHke4z0TuJAF31hqxLD49MXaoyf5+ljSVb7nJBwN6MMwI+URMuT
X-Received: by 2002:a17:902:7d81:b0:14f:e18b:2b9e with SMTP id a1-20020a1709027d8100b0014fe18b2b9emr62386plm.160.1649107648763;
        Mon, 04 Apr 2022 14:27:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1649107648; cv=none;
        d=google.com; s=arc-20160816;
        b=kSFRIYux7yPHFnxwQEe6rAo7ZRhuxKCD+vfkdiQBJLNOe1sAgjVfNbIXzmirs3nIlO
         40UJkzVInon5u8jT9l/RxWVgF2q0oJjrlXGSlo9+U/gm0489AeryuV69kO7jXdY0WHJT
         3YR/ievA3/DyTlcURduQrboT24HjxfVrJl9uJoM/YmKHQwNa1S4ioVuQ++5cignXhpwx
         hufTc5LeSKI0cYu8iIc+ENahyxv7ZGvNezx5mme4ajB9yyis1FbTd1JYM1TaNOTlByiQ
         Q4MXwNHYTlrnNFCo/XB4/tBuwvFuf6xT1t7DcVen6G0RP+aOZuOOgyCIT5gc8f/cLEjR
         alTQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=HUbrwVeZVKevv1ccUbUUBNwvbKoAshnIxszj5qldaZE=;
        b=Li1KVMp0m+BH1oOt33DnpwvBvP5m8m/alpv3vlQ0cJkQhaX3vqM+beleJvsgzVtiOQ
         TKWdcGE7h/XigIYmauEmfD+SLVIFL4BkEc2UmCDS9wyc3Jqgizo4f58SWJrJwXZGaijc
         OaU6sdOMb4KlzNYdCJupRzMzIYF5K0Z76ysA6EahJ10TCQPZVjLXqiDxUTu6hKYJvbsu
         Jh59WnnSexgpxdwIvtapoo5IfldBssuAeaK5PT9lmPBmyDG83TmgcJpKiX8k0Pjvjhxu
         2Hqm4jxvMaPU7p+Hes8f8z2o5KsI1omo9URe4zr8vEMpsjByDwIt1P15qpo4ntP7G+CY
         7NZw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=KYGsJOyP;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id gm3-20020a17090b100300b001c9818229c8si61976pjb.163.2022.04.04.14.27.13;
        Mon, 04 Apr 2022 14:27:28 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=KYGsJOyP;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1348007AbiDAOly (ORCPT <rfc822;arunks.linux@gmail.com>
        + 99 others); Fri, 1 Apr 2022 10:41:54 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57796 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1348336AbiDAOeF (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 1 Apr 2022 10:34:05 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9E3B7B7F6;
        Fri,  1 Apr 2022 07:32:16 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 2C70C61C1A;
        Fri,  1 Apr 2022 14:32:16 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id D8581C340F2;
        Fri,  1 Apr 2022 14:32:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1648823535;
        bh=dGEdT/4UWGJMLbUw9a2FEv9E8tfibTs3j7vfva8scJA=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=KYGsJOyPIG0e/wLhrTqkQ9yEBn0WXKzsi11uOzkuXxsfGL8J0TmVlSFr7PZircYWG
         7IJL8oHV08VPEEave8JB1F+vwNqGjfNXSshMY7umkZyl0LiMDJ0gUmwkKS/+ZGRlAH
         pyKJph6pKO9RHby5ZimbZ93gERqLg8fU175HGyKX4/Sw1wO10fIJ0EWB+sBPgZWWv2
         gsXaOtnn3rZqTfay4evHDsXcTZxc+/11TFKwaIxW6bEC0cqhgULEkSocM1Iir0Lf9Z
         yiniONbPfJNliCwqJ1YxfEKUD4Qr6eqpmSxr/htRGjT5/i71IDilaAqLNMBGS06kKI
         DJbrXcPiXq8Bw==
From:   Sasha Levin <sashal@kernel.org>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc:     Jakub Kicinski <kuba@kernel.org>,
        George Shuklin <george.shuklin@gmail.com>,
        David Ahern <dsahern@kernel.org>,
        Sasha Levin <sashal@kernel.org>, davem@davemloft.net,
        pabeni@redhat.com, idosch@nvidia.com, petrm@nvidia.com,
        edumazet@google.com, yajun.deng@linux.dev, avagin@gmail.com,
        cong.wang@bytedance.com, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.17 131/149] net: limit altnames to 64k total
Date:   Fri,  1 Apr 2022 10:25:18 -0400
Message-Id: <20220401142536.1948161-131-sashal@kernel.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20220401142536.1948161-1-sashal@kernel.org>
References: <20220401142536.1948161-1-sashal@kernel.org>
MIME-Version: 1.0
X-stable: review
X-Patchwork-Hint: Ignore
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Jakub Kicinski <kuba@kernel.org>

[ Upstream commit 155fb43b70b5fce341347a77d1af2765d1e8fbb8 ]

Property list (altname is a link "property") is wrapped
in a nlattr. nlattrs length is 16bit so practically
speaking the list of properties can't be longer than
that, otherwise user space would have to interpret
broken netlink messages.

Prevent the problem from occurring by checking the length
of the property list before adding new entries.

Reported-by: George Shuklin <george.shuklin@gmail.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/core/rtnetlink.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 9c9ad3d4b766..43b995e935cd 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -3652,12 +3652,23 @@ static int rtnl_alt_ifname(int cmd, struct net_device *dev, struct nlattr *attr,
 			   bool *changed, struct netlink_ext_ack *extack)
 {
 	char *alt_ifname;
+	size_t size;
 	int err;
 
 	err = nla_validate(attr, attr->nla_len, IFLA_MAX, ifla_policy, extack);
 	if (err)
 		return err;
 
+	if (cmd == RTM_NEWLINKPROP) {
+		size = rtnl_prop_list_size(dev);
+		size += nla_total_size(ALTIFNAMSIZ);
+		if (size >= U16_MAX) {
+			NL_SET_ERR_MSG(extack,
+				       "effective property list too long");
+			return -EINVAL;
+		}
+	}
+
 	alt_ifname = nla_strdup(attr, GFP_KERNEL_ACCOUNT);
 	if (!alt_ifname)
 		return -ENOMEM;
-- 
2.34.1