Page MenuHomeFreeBSD
Differential D37229

ng_parse: disallow negative length for malloc
ClosedPublic
Actions

Authored by emaste on Nov 1 2022, 2:12 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Oct 10, 5:38 PM
Unknown Object (File)
Fri, Oct 10, 5:38 PM
Unknown Object (File)
Fri, Oct 10, 5:38 PM
Unknown Object (File)
Fri, Oct 10, 5:38 PM
Unknown Object (File)
Fri, Oct 10, 12:32 PM
Unknown Object (File)
Fri, Sep 19, 6:02 AM
Unknown Object (File)
Sep 4 2025, 1:40 PM
Unknown Object (File)
Sep 3 2025, 10:39 PM
View All 81 Files
Subscribers
des
glebius
imp
melifaro

Details

Reviewers
donner
glebius
Commits
rGbc77917cd053: ng_parse: disallow negative length for malloc
rG0e0329c6dbab: ng_parse: disallow negative length for malloc
rGae4f39464c61: ng_parse: disallow negative length for malloc
Summary
PR:             267334
Reported by:    Robert Morris <rtm@lcs.mit.edu>
Sponsored by:   The FreeBSD Foundation

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

emaste created this revision.Nov 1 2022, 2:12 PM
Herald added subscribers: glebius, melifaro. · View Herald TranscriptNov 1 2022, 2:12 PM
emaste requested review of this revision.Nov 1 2022, 2:12 PM
emaste updated this revision to Diff 112470.Nov 1 2022, 5:00 PM

just return, foff is not yet set

glebius requested changes to this revision.Nov 2 2022, 6:14 PM

Can we return unsigned value from ng_get_composite_len() instead?

This revision now requires changes to proceed.Nov 2 2022, 6:14 PM
glebius added a comment.Nov 2 2022, 6:16 PM

Looking at 267334. IMHO, we should return the error for invalid message as close as possible to the userland. Don't let the invalid data travel this down.

emaste added a comment.Nov 2 2022, 6:34 PM

Of course we should also check for num nonnegative and too large; there's probably more to be covered here too.

emaste added a comment.Nov 2 2022, 6:56 PM

Can we return unsigned value from ng_get_composite_len() instead?

We should, but I think there are ABI considerations to take into account and we really need someone who understands netgraph well.

emaste added a comment.Nov 21 2024, 8:52 PM

I'm going to commit this as an interim improvement. We can revisit ng_get_composite_len's return type and error handling later on.

This revision was not accepted when it landed; it landed in state Needs Revision.Nov 21 2024, 8:56 PM
Closed by commit rGae4f39464c61: ng_parse: disallow negative length for malloc (authored by emaste). · Explain Why
This revision was automatically updated to reflect the committed changes.
emaste added a commit: rGae4f39464c61: ng_parse: disallow negative length for malloc.
Herald added a subscriber: imp. · View Herald TranscriptNov 21 2024, 8:56 PM
emaste added a commit: rG0e0329c6dbab: ng_parse: disallow negative length for malloc.Dec 2 2024, 9:11 PM
des added a subscriber: des.Aug 25 2025, 10:34 AM

I agree in principle with “as close as possible to userland”, but I don't see how you could move this check any closer to userland without either duplicating a non-trivial amount of code in several places or completely refactoring ng_parse.c.

More importantly though, I'm concerned by the lack of an upper bound on num. I wouldn't be surprised if it's possible to pass in a value that causes the multiplication in the malloc() call to overflow to a small positive number, allowing the allocation to succeed but leading to a buffer overflow further down the line.

des added a comment.Aug 25 2025, 10:35 AM

I also dislike hiding the call to ng_get_composite_len() in the initialization of num. I would prefer to see it immediately before the range check.

emaste added a commit: rGbc77917cd053: ng_parse: disallow negative length for malloc.Sep 4 2025, 1:06 PM

Revision Contents
Changeset List

PathSize
sys/
netgraph/
2 lines

Diff 146813

View Options

sys/netgraph/ng_parse.c

Loading...