| Message ID | 20230901044219.10062-1-alexhenrie24@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | f31867d0d9d82af757c1e0178b659438f4c1ea3c |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [v3] net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr | expand |
On 8/31/23 10:41 PM, Alex Henrie wrote: > The existing code incorrectly casted a negative value (the result of a > subtraction) to an unsigned value without checking. For example, if > /proc/sys/net/ipv6/conf/*/temp_prefered_lft was set to 1, the preferred > lifetime would jump to 4 billion seconds. On my machine and network the > shortest lifetime that avoided underflow was 3 seconds. > > Fixes: 76506a986dc3 ("IPv6: fix DESYNC_FACTOR") > Signed-off-by: Alex Henrie <alexhenrie24@gmail.com> > --- > Changes from v2: > - Use conventional format for "Fixes" line > - Send separately and leave the other four patches for later > --- > net/ipv6/addrconf.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > Reviewed-by: David Ahern <dsahern@kernel.org>
Hello: This patch was applied to netdev/net.git (main) by David S. Miller <davem@davemloft.net>: On Thu, 31 Aug 2023 22:41:27 -0600 you wrote: > The existing code incorrectly casted a negative value (the result of a > subtraction) to an unsigned value without checking. For example, if > /proc/sys/net/ipv6/conf/*/temp_prefered_lft was set to 1, the preferred > lifetime would jump to 4 billion seconds. On my machine and network the > shortest lifetime that avoided underflow was 3 seconds. > > Fixes: 76506a986dc3 ("IPv6: fix DESYNC_FACTOR") > Signed-off-by: Alex Henrie <alexhenrie24@gmail.com> > > [...] Here is the summary with links: - [v3] net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr https://git.kernel.org/netdev/net/c/f31867d0d9d8 You are awesome, thank you!
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 967913ad65e5..0b6ee962c84e 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -1378,7 +1378,7 @@ static int ipv6_create_tempaddr(struct inet6_ifaddr *ifp, bool block) * idev->desync_factor if it's larger */ cnf_temp_preferred_lft = READ_ONCE(idev->cnf.temp_prefered_lft); - max_desync_factor = min_t(__u32, + max_desync_factor = min_t(long, idev->cnf.max_desync_factor, cnf_temp_preferred_lft - regen_advance);
The existing code incorrectly casted a negative value (the result of a subtraction) to an unsigned value without checking. For example, if /proc/sys/net/ipv6/conf/*/temp_prefered_lft was set to 1, the preferred lifetime would jump to 4 billion seconds. On my machine and network the shortest lifetime that avoided underflow was 3 seconds. Fixes: 76506a986dc3 ("IPv6: fix DESYNC_FACTOR") Signed-off-by: Alex Henrie <alexhenrie24@gmail.com> --- Changes from v2: - Use conventional format for "Fixes" line - Send separately and leave the other four patches for later --- net/ipv6/addrconf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)