[PATCH net] ipvs: prevent integer overflow in do_ip_vs_get

To:	"Gustavo A. R. Silva" <gustavo@xxxxxxxxxxxxxx>
Subject:	[PATCH net] ipvs: prevent integer overflow in do_ip_vs_get_ctl()
Cc:	Simon Horman <horms@xxxxxxxxxxxx>, Julian Anastasov <ja@xxxxxx>, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>, Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxx>, "David S. Miller" <davem@xxxxxxxxxxxxx>, Eric Dumazet <edumazet@xxxxxxxxxx>, Jakub Kicinski <kuba@xxxxxxxxxx>, Paolo Abeni <pabeni@xxxxxxxxxx>, netdev@xxxxxxxxxxxxxxx, lvs-devel@xxxxxxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxx, coreteam@xxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, kernel-janitors@xxxxxxxxxxxxxxx
From:	Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Date:	Fri, 7 Mar 2025 16:44:02 +0300

The get->num_services variable is an unsigned int which is controlled by
the user.  The struct_size() function ensures that the size calculation
does not overflow an unsigned long, however, we are saving the result to
an int so the calculation can overflow.

Save the result from struct_size() type size_t to fix this integer
overflow bug.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
 net/netfilter/ipvs/ip_vs_ctl.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 7d13110ce188..801d65fd8a81 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -3091,12 +3091,12 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user 
*user, int *len)
        case IP_VS_SO_GET_SERVICES:
        {
                struct ip_vs_get_services *get;
-               int size;
+               size_t size;
 
                get = (struct ip_vs_get_services *)arg;
                size = struct_size(get, entrytable, get->num_services);
                if (*len != size) {
-                       pr_err("length: %u != %u\n", *len, size);
+                       pr_err("length: %u != %lu\n", *len, size);
                        ret = -EINVAL;
                        goto out;
                }
@@ -3132,12 +3132,12 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user 
*user, int *len)
        case IP_VS_SO_GET_DESTS:
        {
                struct ip_vs_get_dests *get;
-               int size;
+               size_t size;
 
                get = (struct ip_vs_get_dests *)arg;
                size = struct_size(get, entrytable, get->num_dests);
                if (*len != size) {
-                       pr_err("length: %u != %u\n", *len, size);
+                       pr_err("length: %u != %lu\n", *len, size);
                        ret = -EINVAL;
                        goto out;
                }
-- 
2.47.2

<Prev in Thread]	Current Thread	[Next in Thread>
[PATCH net] ipvs: prevent integer overflow in do_ip_vs_get_ctl(), Dan Carpenter <= Re: [PATCH net] ipvs: prevent integer overflow in do_ip_vs_get_ctl(), Jan Engelhardt Re: [PATCH net] ipvs: prevent integer overflow in do_ip_vs_get_ctl(), Julian Anastasov Re: [PATCH net] ipvs: prevent integer overflow in do_ip_vs_get_ctl(), kernel test robot

Next by Date:	Re: [PATCH net] ipvs: prevent integer overflow in do_ip_vs_get_ctl(), Jan Engelhardt
Next by Thread:	Re: [PATCH net] ipvs: prevent integer overflow in do_ip_vs_get_ctl(), Jan Engelhardt
Indexes:	[Date] [Thread] [Top] [All Lists]

[PATCH net] ipvs: prevent integer overflow in do_ip_vs_get_ctl()