bonding: fix send_peer_notif overflow · tjh.dev/kernel@9949e2e

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

bonding: fix send_peer_notif overflow

Bonding send_peer_notif was defined as u8. Since commit 07a4ddec3ce9
("bonding: add an option to specify a delay between peer notifications").
the bond->send_peer_notif will be num_peer_notif multiplied by
peer_notif_delay, which is u8 * u32. This would cause the send_peer_notif
overflow easily. e.g.

ip link add bond0 type bond mode 1 miimon 100 num_grat_arp 30 peer_notify_delay 1000

To fix the overflow, let's set the send_peer_notif to u32 and limit
peer_notif_delay to 300s.

Reported-by: Liang Li <liali@redhat.com>
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2090053
Fixes: 07a4ddec3ce9 ("bonding: add an option to specify a delay between peer notifications")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Hangbin Liu and committed by

David S. Miller 2 years ago 9949e2ef 7c83e28f

+14 -3

3 changed files

expand all

drivers

net

bonding

bond_netlink.c

bond_options.c

include

net

bonding.h

+6 -1

drivers/net/bonding/bond_netlink.c

··· 84 84 return -EMSGSIZE; 85 85 } 86 86 87 + /* Limit the max delay range to 300s */ 88 + static struct netlink_range_validation delay_range = { 89 + .max = 300000, 90 + }; 91 + 87 92 static const struct nla_policy bond_policy[IFLA_BOND_MAX + 1] = { 88 93 [IFLA_BOND_MODE] = { .type = NLA_U8 }, 89 94 [IFLA_BOND_ACTIVE_SLAVE] = { .type = NLA_U32 }, ··· 119 114 [IFLA_BOND_AD_ACTOR_SYSTEM] = { .type = NLA_BINARY, 120 115 .len = ETH_ALEN }, 121 116 [IFLA_BOND_TLB_DYNAMIC_LB] = { .type = NLA_U8 }, 122 - [IFLA_BOND_PEER_NOTIF_DELAY] = { .type = NLA_U32 }, 117 + [IFLA_BOND_PEER_NOTIF_DELAY] = NLA_POLICY_FULL_RANGE(NLA_U32, &delay_range), 123 118 [IFLA_BOND_MISSED_MAX] = { .type = NLA_U8 }, 124 119 [IFLA_BOND_NS_IP6_TARGET] = { .type = NLA_NESTED }, 125 120 };

+7 -1

drivers/net/bonding/bond_options.c

··· 169 169 { NULL, -1, 0} 170 170 }; 171 171 172 + static const struct bond_opt_value bond_peer_notif_delay_tbl[] = { 173 + { "off", 0, 0}, 174 + { "maxval", 300000, BOND_VALFLAG_MAX}, 175 + { NULL, -1, 0} 176 + }; 177 + 172 178 static const struct bond_opt_value bond_primary_reselect_tbl[] = { 173 179 { "always", BOND_PRI_RESELECT_ALWAYS, BOND_VALFLAG_DEFAULT}, 174 180 { "better", BOND_PRI_RESELECT_BETTER, 0}, ··· 494 488 .id = BOND_OPT_PEER_NOTIF_DELAY, 495 489 .name = "peer_notif_delay", 496 490 .desc = "Delay between each peer notification on failover event, in milliseconds", 497 - .values = bond_intmax_tbl, 491 + .values = bond_peer_notif_delay_tbl, 498 492 .set = bond_option_peer_notif_delay_set 499 493 } 500 494 };

+1 -1

include/net/bonding.h

··· 233 233 */ 234 234 spinlock_t mode_lock; 235 235 spinlock_t stats_lock; 236 - u8 send_peer_notif; 236 + u32 send_peer_notif; 237 237 u8 igmp_retrans; 238 238 #ifdef CONFIG_PROC_FS 239 239 struct proc_dir_entry *proc_entry;