Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp819857pxb;
        Tue, 12 Apr 2022 14:21:02 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyB3kPWBbaV8dKoXldTLu77RXDFWyQZWHxHRf2AlrvbTwYuWy1ZBivhyFzTOAu0GW+F7U9N
X-Received: by 2002:a05:6a00:21c8:b0:4fd:f89f:ec0e with SMTP id t8-20020a056a0021c800b004fdf89fec0emr6483261pfj.83.1649798462439;
        Tue, 12 Apr 2022 14:21:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1649798462; cv=none;
        d=google.com; s=arc-20160816;
        b=0Fa1CSxQL2UyngpWLnnFI1dy5MoRPgDZnYetfCyLm57XmzFrOStQMnusLPlAVAGYY4
         1ypFIzI2pBzsIpqKsU7mbfiQgO06IvRjCSoaEaUervLFT83BUV4CsQIt0MVppIIDftpE
         LBiQt/GEfwFRlZBS2fzfz8i6aiqbdTeLI5U7uYJgJ7ynbZkvBxBDfogipd/HxUURYcH7
         Mj9FkCZ1mhRHDxZ2ZL4/WatkgbyJ6fYaPpDGCCLCmg3gjpQEi7XapAtMgUV4+f6Oq3rD
         4xAEZKPSx5VSLYXkteTgLMuKVvYKXmzE2rYhwYQjrQvxqjgfS+4XXkKWo6Q8H8UHDOX6
         ZWZw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=CzsVzEvunkNwtmVSsUFkMrcIdBDl0iIWquG5qMR6xuw=;
        b=xqadreRYH56KdoSt4t2HVO9lnMvocls7pvLHh5g8e92BLkg98Gcr/qwLI5g5XlcyA8
         evA3Da3D9ViqwhdELS3/h6R6pXOxPWXl2glUu/TdXvO1ET4ENjuTElz+Lxvx9miMVWlP
         A/cc02VpzeenmsvsE8hexVu6IX9LGT5c80OQfAx3Ff8uqIHo33ycimriENqBaOl8CklI
         /wIZUdUkubE1inspkfvZPPJvpfZIdDMLDrXCP4RUe6PMvgnHxzrmfB61TDm9SVK8s6Mo
         H3T29Tnug1QZbO9B/BzKhvXa+DVbKLeodceSSoFrFy7nDihPRx/6P1CmYPdl90JPfub8
         +gKw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=c3+YU3MA;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19])
        by mx.google.com with ESMTPS id d6-20020a056a00244600b004fa3a8dff7asi12667548pfj.49.2022.04.12.14.21.02
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 12 Apr 2022 14:21:02 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=c3+YU3MA;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 5059510E05D;
	Tue, 12 Apr 2022 13:35:05 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1359707AbiDLHng (ORCPT <rfc822;42.hyeyoo@gmail.com> + 99 others);
        Tue, 12 Apr 2022 03:43:36 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45786 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1354100AbiDLHRB (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 12 Apr 2022 03:17:01 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 16B774B405;
        Mon, 11 Apr 2022 23:58:16 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 97EF361589;
        Tue, 12 Apr 2022 06:58:15 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id A1FB8C385A6;
        Tue, 12 Apr 2022 06:58:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1649746695;
        bh=dugs0ojqUOtaiK0jk2J7yqGf+Jgt2OnCtFZNvN141wU=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=c3+YU3MAdUbNq8RjoiG06LjGM89QXlmUMlCyS8TEHzjqybKwC2o2xcza2NOvmm1n5
         djCHw/dPx+s6oxsBYZBTllKZhHvLCqJL9vkYNuHvabuAuKmouq417gJey57FOqYqrS
         J+dF1XdOk3j46F+sma2+aLGhA5fwMHlfppTPF0o4=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, George Shuklin <george.shuklin@gmail.com>,
        David Ahern <dsahern@kernel.org>,
        Jakub Kicinski <kuba@kernel.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.16 097/285] net: limit altnames to 64k total
Date:   Tue, 12 Apr 2022 08:29:14 +0200
Message-Id: <20220412062946.465735946@linuxfoundation.org>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220412062943.670770901@linuxfoundation.org>
References: <20220412062943.670770901@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Jakub Kicinski <kuba@kernel.org>

[ Upstream commit 155fb43b70b5fce341347a77d1af2765d1e8fbb8 ]

Property list (altname is a link "property") is wrapped
in a nlattr. nlattrs length is 16bit so practically
speaking the list of properties can't be longer than
that, otherwise user space would have to interpret
broken netlink messages.

Prevent the problem from occurring by checking the length
of the property list before adding new entries.

Reported-by: George Shuklin <george.shuklin@gmail.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/core/rtnetlink.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 6a7883ec0489..ef56dc8d7c44 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -3631,12 +3631,23 @@ static int rtnl_alt_ifname(int cmd, struct net_device *dev, struct nlattr *attr,
 			   bool *changed, struct netlink_ext_ack *extack)
 {
 	char *alt_ifname;
+	size_t size;
 	int err;
 
 	err = nla_validate(attr, attr->nla_len, IFLA_MAX, ifla_policy, extack);
 	if (err)
 		return err;
 
+	if (cmd == RTM_NEWLINKPROP) {
+		size = rtnl_prop_list_size(dev);
+		size += nla_total_size(ALTIFNAMSIZ);
+		if (size >= U16_MAX) {
+			NL_SET_ERR_MSG(extack,
+				       "effective property list too long");
+			return -EINVAL;
+		}
+	}
+
 	alt_ifname = nla_strdup(attr, GFP_KERNEL_ACCOUNT);
 	if (!alt_ifname)
 		return -ENOMEM;
-- 
2.35.1