Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp54457pxb;
        Tue, 12 Apr 2022 16:37:39 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyiIrlm0PBoljOa+AEH52rHhRj0JPtWP4W0II8ntKdxremGqc1X2y3K3mCfgzoqtFXtWM7D
X-Received: by 2002:a63:514b:0:b0:385:f767:34f4 with SMTP id r11-20020a63514b000000b00385f76734f4mr994964pgl.299.1649806658673;
        Tue, 12 Apr 2022 16:37:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1649806658; cv=none;
        d=google.com; s=arc-20160816;
        b=GLkvlL8akEdfd+RqVcjmVfHU1LmoJCoH0BEnzZWZ5+YFK7FK1jM9d2Sc7GRnGD0Aie
         Hi74PqcJEMkcN9kHgKIsYMZTb20MNzkv0o2+howeiOTHogZqCmh1zZe68Ta+9eg2D9UT
         sl40qjcl6j7btGsPEvfj+5F9uY5gW0bUVTiux6RmMnGmtYCYaQpEFug3BeY42+yGX1Zw
         /fnXhX/Cttys/kjxUYp+uT6qFE8vNLR5I0M763yuzgS+A7kkf0aRK2TZA3MD3VGZlnEp
         ue2VosUNY02cGkcrNzWWK/jO4rywNgD6AWr0BPZmXSpG/xYDf+jk0TRvHHpFWLgr9pw8
         uE5w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=Nnw9qRSGmNk3eoNJTc3Hh3ahqzwWa199b9I7lOqWoT8=;
        b=I3B/TEA8PyzGikob5i1zJwCzYVHcNnC+qbjNimqw9q1gk7MkilrZ5EebD7Cba+Drw5
         s3ibB3wW7smj8q2gZ8F0kzpaGiNrPXJs18ZjYAqNwHUW2ibQ523JSzHV7RhdCxJzxpyR
         IyX9gdHPyI2jecMiLez4aG/bKG1Q3+nEea6pK38D4EByaNuSAbvW2mm2tsF/fPedNqf3
         +DxZ16YyIBI5+V9sWZn1SV7SPWR31OBNERvVJqf320V6jxSoyGJFXQj2vP6clYd5Fh/E
         5gdYNQRBsKhL5f6uYns9j0vh3nxjiFBtmdgEpXDdKk4HeQjLDqvBJD4oASvvPDWd6LBL
         Cmgg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=MN+q5ymz;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19])
        by mx.google.com with ESMTPS id u132-20020a63798a000000b003991d7cd361si3688211pgc.622.2022.04.12.16.37.38
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 12 Apr 2022 16:37:38 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=MN+q5ymz;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id D05111BB81B;
	Tue, 12 Apr 2022 14:29:22 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1352767AbiDLHOZ (ORCPT <rfc822;42.hyeyoo@gmail.com> + 99 others);
        Tue, 12 Apr 2022 03:14:25 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48050 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1352598AbiDLG4E (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 12 Apr 2022 02:56:04 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 14ACB245B7;
        Mon, 11 Apr 2022 23:46:10 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id B701EB818C8;
        Tue, 12 Apr 2022 06:46:08 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0AE08C385A1;
        Tue, 12 Apr 2022 06:46:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1649745967;
        bh=OQWOmuqUFSTpEgakia4l7pulw8EHANnP/KZzLKSdX4o=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=MN+q5ymzItEogKFnzObJ/9Rr8du/GIE13UbKoTgtzFbkrTDp7598ZCuGIQdmM0VQZ
         E98MqZYp2xOlMUqPGvBgNySGTX9PJIBCLYbefuK2hoafRHAQ3Q1o6isXYWn/fLxr+H
         Z0Gt7WzKQpppscUUl/jsqu6EOF4uO/EdCgjVmJb0=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, George Shuklin <george.shuklin@gmail.com>,
        David Ahern <dsahern@kernel.org>,
        Jakub Kicinski <kuba@kernel.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 095/277] net: limit altnames to 64k total
Date:   Tue, 12 Apr 2022 08:28:18 +0200
Message-Id: <20220412062944.792494036@linuxfoundation.org>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220412062942.022903016@linuxfoundation.org>
References: <20220412062942.022903016@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Jakub Kicinski <kuba@kernel.org>

[ Upstream commit 155fb43b70b5fce341347a77d1af2765d1e8fbb8 ]

Property list (altname is a link "property") is wrapped
in a nlattr. nlattrs length is 16bit so practically
speaking the list of properties can't be longer than
that, otherwise user space would have to interpret
broken netlink messages.

Prevent the problem from occurring by checking the length
of the property list before adding new entries.

Reported-by: George Shuklin <george.shuklin@gmail.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/core/rtnetlink.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index a8c319dc224a..9c0e8ccf9bc5 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -3631,12 +3631,23 @@ static int rtnl_alt_ifname(int cmd, struct net_device *dev, struct nlattr *attr,
 			   bool *changed, struct netlink_ext_ack *extack)
 {
 	char *alt_ifname;
+	size_t size;
 	int err;
 
 	err = nla_validate(attr, attr->nla_len, IFLA_MAX, ifla_policy, extack);
 	if (err)
 		return err;
 
+	if (cmd == RTM_NEWLINKPROP) {
+		size = rtnl_prop_list_size(dev);
+		size += nla_total_size(ALTIFNAMSIZ);
+		if (size >= U16_MAX) {
+			NL_SET_ERR_MSG(extack,
+				       "effective property list too long");
+			return -EINVAL;
+		}
+	}
+
 	alt_ifname = nla_strdup(attr, GFP_KERNEL_ACCOUNT);
 	if (!alt_ifname)
 		return -ENOMEM;
-- 
2.35.1