1. Patchew
  2. linux
  3. View series

[PATCH v2 net] ipvs: prevent integer overflow in do_ip_vs_get_ctl()

Dan Carpenter posted 1 patch 11 months ago 
net/netfilter/ipvs/ip_vs_ctl.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
[PATCH v2 net] ipvs: prevent integer overflow in do_ip_vs_get_ctl()
Posted by Dan Carpenter 11 months ago 
The get->num_services variable is an unsigned int which is controlled by
the user.  The struct_size() function ensures that the size calculation
does not overflow an unsigned long, however, we are saving the result to
an int so the calculation can overflow.

Both "len" and "get->num_services" come from the user.  This check is
just a sanity check to help the user and ensure they are using the API
correctly.  An integer overflow here is not a big deal.  This has no
security impact.

Save the result from struct_size() type size_t to fix this integer
overflow bug.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
v2: fix %lu vs %zu in the printk().  It breaks the build on 32bit
    systems.
    Remove the CC stable.

 net/netfilter/ipvs/ip_vs_ctl.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 7d13110ce188..0633276d96bf 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -3091,12 +3091,12 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
 	case IP_VS_SO_GET_SERVICES:
 	{
 		struct ip_vs_get_services *get;
-		int size;
+		size_t size;
 
 		get = (struct ip_vs_get_services *)arg;
 		size = struct_size(get, entrytable, get->num_services);
 		if (*len != size) {
-			pr_err("length: %u != %u\n", *len, size);
+			pr_err("length: %u != %zu\n", *len, size);
 			ret = -EINVAL;
 			goto out;
 		}
@@ -3132,12 +3132,12 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
 	case IP_VS_SO_GET_DESTS:
 	{
 		struct ip_vs_get_dests *get;
-		int size;
+		size_t size;
 
 		get = (struct ip_vs_get_dests *)arg;
 		size = struct_size(get, entrytable, get->num_dests);
 		if (*len != size) {
-			pr_err("length: %u != %u\n", *len, size);
+			pr_err("length: %u != %zu\n", *len, size);
 			ret = -EINVAL;
 			goto out;
 		}
-- 
2.47.2
Re: [PATCH v2 net] ipvs: prevent integer overflow in do_ip_vs_get_ctl()
Posted by Julian Anastasov 11 months ago 
	Hello,

On Mon, 10 Mar 2025, Dan Carpenter wrote:

> The get->num_services variable is an unsigned int which is controlled by
> the user.  The struct_size() function ensures that the size calculation
> does not overflow an unsigned long, however, we are saving the result to
> an int so the calculation can overflow.
> 
> Both "len" and "get->num_services" come from the user.  This check is
> just a sanity check to help the user and ensure they are using the API
> correctly.  An integer overflow here is not a big deal.  This has no
> security impact.
> 
> Save the result from struct_size() type size_t to fix this integer
> overflow bug.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

	Looks good to me, thanks!

Acked-by: Julian Anastasov <ja@ssi.bg>

	Pablo, you can apply it to the nf tree.

> ---
> v2: fix %lu vs %zu in the printk().  It breaks the build on 32bit
>     systems.
>     Remove the CC stable.
> 
>  net/netfilter/ipvs/ip_vs_ctl.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
> index 7d13110ce188..0633276d96bf 100644
> --- a/net/netfilter/ipvs/ip_vs_ctl.c
> +++ b/net/netfilter/ipvs/ip_vs_ctl.c
> @@ -3091,12 +3091,12 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
>  	case IP_VS_SO_GET_SERVICES:
>  	{
>  		struct ip_vs_get_services *get;
> -		int size;
> +		size_t size;
>  
>  		get = (struct ip_vs_get_services *)arg;
>  		size = struct_size(get, entrytable, get->num_services);
>  		if (*len != size) {
> -			pr_err("length: %u != %u\n", *len, size);
> +			pr_err("length: %u != %zu\n", *len, size);
>  			ret = -EINVAL;
>  			goto out;
>  		}
> @@ -3132,12 +3132,12 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
>  	case IP_VS_SO_GET_DESTS:
>  	{
>  		struct ip_vs_get_dests *get;
> -		int size;
> +		size_t size;
>  
>  		get = (struct ip_vs_get_dests *)arg;
>  		size = struct_size(get, entrytable, get->num_dests);
>  		if (*len != size) {
> -			pr_err("length: %u != %u\n", *len, size);
> +			pr_err("length: %u != %zu\n", *len, size);
>  			ret = -EINVAL;
>  			goto out;
>  		}
> -- 
> 2.47.2

Regards

--
Julian Anastasov <ja@ssi.bg>
Re: [PATCH v2 net] ipvs: prevent integer overflow in do_ip_vs_get_ctl()
Posted by Pablo Neira Ayuso 11 months ago 
On Tue, Mar 11, 2025 at 07:50:44PM +0200, Julian Anastasov wrote:
> 
> 	Hello,
> 
> On Mon, 10 Mar 2025, Dan Carpenter wrote:
> 
> > The get->num_services variable is an unsigned int which is controlled by
> > the user.  The struct_size() function ensures that the size calculation
> > does not overflow an unsigned long, however, we are saving the result to
> > an int so the calculation can overflow.
> > 
> > Both "len" and "get->num_services" come from the user.  This check is
> > just a sanity check to help the user and ensure they are using the API
> > correctly.  An integer overflow here is not a big deal.  This has no
> > security impact.
> > 
> > Save the result from struct_size() type size_t to fix this integer
> > overflow bug.
> > 
> > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> 
> 	Looks good to me, thanks!
> 
> Acked-by: Julian Anastasov <ja@ssi.bg>
> 
> 	Pablo, you can apply it to the nf tree.

Done, thanks Julian.

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.