• Daniel Borkmann's avatar
    net: esp{4,6}: fix potential MTU calculation overflows · 7921895a
    Daniel Borkmann authored
    Commit 91657eaf ("xfrm: take net hdr len into account for esp payload
    size calculation") introduced a possible interger overflow in
    esp{4,6}_get_mtu() handlers in case of x->props.mode equals
    XFRM_MODE_TUNNEL. Thus, the following expression will overflow
    
      unsigned int net_adj;
      ...
      <case ipv{4,6} XFRM_MODE_TUNNEL>
             net_adj = 0;
      ...
      return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
               net_adj) & ~(align - 1)) + (net_adj - 2);
    
    where (net_adj - 2) would be evaluated as <foo> + (0 - 2) in an unsigned
    context. Fix it by simply removing brackets as those operations here
    do not need to have special precedence.
    Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
    Cc: Benjamin Poirier <bpoirier@suse.de>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Acked-by: default avatarBenjamin Poirier <bpoirier@suse.de>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    7921895a
esp6.c 15.8 KB