Received: by 2002:a05:7208:9594:b0:7e:5202:c8b4 with SMTP id gs20csp1852845rbb; Tue, 27 Feb 2024 03:25:51 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCVAohYdu8Q1OwVo+aPtHQr/A9WdHk4B77tpoxOP+nSXbhwDMuOsYspJxAxaF11mdh8T8xy1ZGN3+UhKf8JDlsWbuFWPgXnRqcDIbkaZJA== X-Google-Smtp-Source: AGHT+IEEJNJlhzjPmLoWI2qqoZIgzCo6Ijy44pe3y9strWlINjZAyYpatJtQ84HvD3cAU7qBQgLk X-Received: by 2002:a17:906:918:b0:a3e:e84a:ccfb with SMTP id i24-20020a170906091800b00a3ee84accfbmr6005350ejd.9.1709033151288; Tue, 27 Feb 2024 03:25:51 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709033151; cv=pass; d=google.com; s=arc-20160816; b=H8XgXIwyENU8azgAlnnByAyDzNdPBaQ4uUnWZeXYdVdzcPCD2U5Dq1R3ug7D5O9Yj4 ETjWrMbCi31PCwPqqiNTQfck/bDK0fB8Z51PIxSvPxd+KxSoBpIZxgApzNPm4a8P8Xyq lFc3HNWhG8FU16GET4LGlpB8E5vejrilJ8FRj0B30sLyuIcDS65D2fZ0Wh1kg5zu6RP1 hh8rj0URs4gtUdhs7UWz6FdUxot4h8/IY8+MRL59+HiBgRyGbZ30wLUtv1xCCCfLzrnU 7hefreSITzM45wWtAWSoCukPGehrofL87DSGP7I3mj7PdcjQ5ZLjTiDvXaz3vNri5vyz hZJA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=KI5eG390ffSqx8RaN+jlA/4cItpLtfyutTUFjdeBTiI=; fh=FteHhG4EV1CHkIfnoigxevD8u+TlGGYoerrBwkYLDmA=; b=pVxGANa+2HR+oWneFs7okxQ95NX9TYpZaD1r4sDOmwEl3TRUYxqq4MStZz7pcnP2uM O8uEBl0MwyTOluicfpfX3TtR1b7smZEBvlnRKZTKJpfbyTWf4lh5gSF5L7uwvleM59nH 4lXTXve13Bt0Ove7kdW7uXWI6WWr2+nJYCLz0Q32xTovZ0p95fCA2v8RgRxBGEkLU27I jTSIyOlsijgRdkaaPUYnzzZdEeqCFYn633J/5OwsBxruIEAyjT4Y+xKMsfbyabj5ogzV Z7xPlRWSYObIs0iIyJKLR1wSqWPGLbL+68xOhBgpTJ4+QOypR6yhmM+xLegMkOhQ24Uv i6Rw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@blackwall-org.20230601.gappssmtp.com header.s=20230601 header.b=QoEZRPfN; arc=pass (i=1 dkim=pass dkdomain=blackwall-org.20230601.gappssmtp.com); spf=pass (google.com: domain of linux-kernel+bounces-83122-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-83122-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id by6-20020a170906a2c600b00a3e52e39d96si628875ejb.256.2024.02.27.03.25.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Feb 2024 03:25:51 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-83122-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@blackwall-org.20230601.gappssmtp.com header.s=20230601 header.b=QoEZRPfN; arc=pass (i=1 dkim=pass dkdomain=blackwall-org.20230601.gappssmtp.com); spf=pass (google.com: domain of linux-kernel+bounces-83122-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-83122-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id DEC351F23383 for ; Tue, 27 Feb 2024 11:25:50 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id F2C6913959F; Tue, 27 Feb 2024 11:25:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=blackwall-org.20230601.gappssmtp.com header.i=@blackwall-org.20230601.gappssmtp.com header.b="QoEZRPfN" Received: from mail-ed1-f51.google.com (mail-ed1-f51.google.com [209.85.208.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 66E75139580 for ; Tue, 27 Feb 2024 11:25:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.51 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709033141; cv=none; b=lplfQls6rGYuM6u9iwUFQPNoxmnXmbNgNSE/GUiL1umZ1s7WQAlia3wfH5POiq7R0p+39mGU8r+2kSdA997L14f9klIgn+mieBsH+s8tRo0hSODVZom5OVMBIZH6RxhARcauOCeMNKeP1traFtmPQVHVHph85l8tVgTbWKE/t/Y= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709033141; c=relaxed/simple; bh=C7BovUgZxD1vPO2Pt0Fk5S5FcxhE6gMOTFf3j8+GrvA=; h=Message-ID:Date:MIME-Version:Subject:To:References:From: In-Reply-To:Content-Type; b=Xy1v+/ZAgCQDyH/0oyZQZcHZNP8RiXNRnLxDZYKcfn9xvvF81HAaCRKNMmy0d3QJGOdQ1FHCBPOufwMfuXGL7nercW6JY8D3MffKk9/bGCwfQkPnDJvLPQUmvCu+Yy5IBNSnvbEgV4LPHUIEuNGhznN+qefhT3z3xA+x7xWsK1w= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=blackwall.org; spf=none smtp.mailfrom=blackwall.org; dkim=pass (2048-bit key) header.d=blackwall-org.20230601.gappssmtp.com header.i=@blackwall-org.20230601.gappssmtp.com header.b=QoEZRPfN; arc=none smtp.client-ip=209.85.208.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=blackwall.org Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=blackwall.org Received: by mail-ed1-f51.google.com with SMTP id 4fb4d7f45d1cf-563d32ee33aso5404164a12.2 for ; Tue, 27 Feb 2024 03:25:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=blackwall-org.20230601.gappssmtp.com; s=20230601; t=1709033138; x=1709637938; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=KI5eG390ffSqx8RaN+jlA/4cItpLtfyutTUFjdeBTiI=; b=QoEZRPfNncNPzTQsKNwex2/f4j18vpCXq0Z3O4BWCq3P58Rn4yhSieZs8myCeF37Gj UPnfFmBApgWKOet7zpT1EKPMXUhHOm5BYKxPMNDke/AFt4g8Kma/yXlPTn/HUQJKau2/ /+nCTrkC0YvkpyKEXNtplikMzR/GKWZ+ztyTCgGIVoggYgsv+vGzQctK+8cIG4m67ksT yC0a0aXZIyGICWIH8YJyAdC0025qzXzZmWxPVqGqQiIfylZUKJUuNIR+3FVzm3bY0xmR Mhr5xU2jkcVsFOQTIBU/IeJQSrV6Uc2tN8YfmsD9iRgy4M6TkFaoX+eRBOQyt2ltYcnb Kqvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709033138; x=1709637938; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=KI5eG390ffSqx8RaN+jlA/4cItpLtfyutTUFjdeBTiI=; b=wPuI//aoo81Nlj+UkKr/+7e+XB7B4JGlN3SjdsbCDOzDDAxnVDT++HtYRbVCfyqHfN NKD+E7Zq2iMMsVBHHALoTHb5u/lQmEp+8FSRDF83igEq/wFuLgPCOZiDt5mmqOUbAW7U jkWQ/Y1w8EFvOqtN3dxpPDWDxKoirgazZl37+JXAcDVRV7Wp6HdsAnsbJunX8cPomZwd ZvFbZXLFEn+wkiWj5LTiRxtpTEqwJVeawnEKbieiEM742ikXb40nDYlj/eQyFlrJkyIf FnuyxbYtXoG/zc5d5tnkHDpCofZByBT3qoM/rCLfWfcoCYMpkpWo0aTZjwUcZedWqDqH 3cPw== X-Forwarded-Encrypted: i=1; AJvYcCVR1KA/KSAUmzYPUS1evyLMIxUf7I77vEgF2k2HI19EKWuhj0gGZPOb+1/aoVlYYfEP5uDauPjmNRhSvDw+Q1zc+OD81LJWKmADedVq X-Gm-Message-State: AOJu0Yy3SF2lYsJw7zkEZEGlJPZKrfqSDPTqpz1jiUKgw/n2aOMTk/N/ U16Rxm7qbCtijXEonXdFr0GuI1EeA3WCYbH6FiLabklW5JGIx1mwrYJ6wbej0KY= X-Received: by 2002:a05:6402:2050:b0:565:e360:aee4 with SMTP id bc16-20020a056402205000b00565e360aee4mr3484699edb.18.1709033137467; Tue, 27 Feb 2024 03:25:37 -0800 (PST) Received: from [192.168.0.106] (176.111.183.96.kyiv.volia.net. [176.111.183.96]) by smtp.gmail.com with ESMTPSA id c5-20020a0564021f8500b005653439cadcsm672933edc.25.2024.02.27.03.25.36 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 27 Feb 2024 03:25:37 -0800 (PST) Message-ID: <2e8c704f-e6a6-40b8-8d4b-7c3a987c4839@blackwall.org> Date: Tue, 27 Feb 2024 13:25:35 +0200 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH net v1] rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back Content-Language: en-US To: Lin Ma , davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, idosch@nvidia.com, jiri@resnulli.us, lucien.xin@gmail.com, edwin.peer@broadcom.com, amcohen@nvidia.com, pctammela@mojatatu.com, liuhangbin@gmail.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org References: <20240227110113.573334-1-linma@zju.edu.cn> From: Nikolay Aleksandrov In-Reply-To: <20240227110113.573334-1-linma@zju.edu.cn> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 2/27/24 13:01, Lin Ma wrote: > In the commit d73ef2d69c0d ("rtnetlink: let rtnl_bridge_setlink checks > IFLA_BRIDGE_MODE length"), an adjustment was made to the old loop logic > in the function `rtnl_bridge_setlink` to enable the loop to also check > the length of the IFLA_BRIDGE_MODE attribute. However, this adjustment > removed the `break` statement and led to an error logic of the flags > writing back at the end of this function. > > if (have_flags) > memcpy(nla_data(attr), &flags, sizeof(flags)); > // attr should point to IFLA_BRIDGE_FLAGS NLA !!! > > Before the mentioned commit, the `attr` is granted to be IFLA_BRIDGE_FLAGS. > However, this is not necessarily true fow now as the updated loop will let > the attr point to the last NLA, even an invalid NLA which could cause > overflow writes. > > This patch introduces a new variable `br_flag` to save the NLA pointer > that points to IFLA_BRIDGE_FLAGS and uses it to resolve the mentioned > error logic. > > Fixes: d73ef2d69c0d ("rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length") > Signed-off-by: Lin Ma > --- That fix is obviously broken, I don't know how I missed it back then. One comment below, > net/core/rtnetlink.c | 11 +++++------ > 1 file changed, 5 insertions(+), 6 deletions(-) > > diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c > index 9c4f427f3a50..e9f16e5e3515 100644 > --- a/net/core/rtnetlink.c > +++ b/net/core/rtnetlink.c > @@ -5169,10 +5169,9 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, > struct net *net = sock_net(skb->sk); > struct ifinfomsg *ifm; > struct net_device *dev; > - struct nlattr *br_spec, *attr = NULL; > + struct nlattr *br_spec, *attr, *br_flag = NULL; Please name the variable to something that describes it better, like br_flags_attr. > int rem, err = -EOPNOTSUPP; > u16 flags = 0; > - bool have_flags = false; > > if (nlmsg_len(nlh) < sizeof(*ifm)) > return -EINVAL; > @@ -5190,11 +5189,11 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, > br_spec = nlmsg_find_attr(nlh, sizeof(struct ifinfomsg), IFLA_AF_SPEC); > if (br_spec) { > nla_for_each_nested(attr, br_spec, rem) { > - if (nla_type(attr) == IFLA_BRIDGE_FLAGS && !have_flags) { > + if (nla_type(attr) == IFLA_BRIDGE_FLAGS && !br_flag) { > if (nla_len(attr) < sizeof(flags)) > return -EINVAL; > > - have_flags = true; > + br_flag = attr; > flags = nla_get_u16(attr); > } > > @@ -5238,8 +5237,8 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, > } > } > > - if (have_flags) > - memcpy(nla_data(attr), &flags, sizeof(flags)); > + if (br_flag) > + memcpy(nla_data(br_flag), &flags, sizeof(flags)); > out: > return err; > }