From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mail.toke.dk; spf=pass smtp.mailfrom=; dkim=pass header.d=trailofbits.com; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=trailofbits.com policy.dmarc=reject Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) by mail.toke.dk (Postfix) with ESMTPS id 8BC3311DEDA0 for ; Tue, 09 Jun 2026 02:06:05 +0200 (CEST) Received: by mail-qk1-x730.google.com with SMTP id af79cd13be357-9159da9bba5so354866085a.1 for ; Mon, 08 Jun 2026 17:06:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=trailofbits.com; s=google; t=1780963563; x=1781568363; darn=lists.bufferbloat.net; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=cKIVc3iYY7EOPxTwVj4oTrI6pPe5zXEw+1M3EAqLh/8=; b=flE4XquJf3mAggwzwapUDR/MEMf3/qRXJYgIfi8eWmB+FDH+wuKGNZ+4wynrp3GdhW 2d+X9WsBMz8qS+yAtUXsO3OsLy9LGLKXF0Q/wi0GDEJgE5A+JLvthG1wBy6DHCaOJLBr N2DDPt2peSEqCHkco2DWvu/2ePCoBnkURHpExsQkZH1EboC33AoOVcXr25YO07GioKRL Jecf//5o1tWhxre+y52I2j8hGB1U3T8m2okxQytZduz9vqzbWMicJk6Eyw0AYRc7Wwt6 9LMVfuUf5QOtQk2x+c3xl4MltUu5o4VLD+QKxWfiJ0BzZzItmQU586e/EB8/xvWguy07 d7fA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780963563; x=1781568363; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=cKIVc3iYY7EOPxTwVj4oTrI6pPe5zXEw+1M3EAqLh/8=; b=X1ZSPGOilPfO33e+tMySAwD0Ih42A2tnD8CbyS7Aka9E5yfvSy2APZSWIEb8ZVVjDn +3rHp0nmHqjcfrwWDUjm2w3gTLx16FyeYESp8KgEkTamrSyGJVfyzOcguHbvFslZ/+kE httQIhF2OsYqypVxCARpedqp8iOFUtwjMFndgYSn7a0JDFXQhbAWIRj9smruN5tWkh3R n6O62Iyx3BjbIRl1ikaUUfga+ZeulLPLEN7bgWqpt+/MMYpXeqlxJRRqDkb7YZA+SCc+ 5iufTSlMJ8pNW9stiQUFh6nxAWtjCGwts+d7mWlF4cf81ZHyh0u5gFA8BclKBTJfo5BJ lGGA== X-Forwarded-Encrypted: i=1; AFNElJ/anmq8lgjbjIozeATllpyFHONBkIyyBtCLJs3R857BSBHt1/YCpBgNjkgns7rdvsEHhhHa@lists.bufferbloat.net X-Gm-Message-State: AOJu0YxkEPqc3RDTOt/lnJHKBziZRGWdPw+Wyj8dVnkZ1T85MhYTOcfL rfF3s4nP3u3Gzyco9KBs21ekuJWeL1FekrgZbC0JXDWKKFwFlUnU4ryz8fBLnZdpuqk= X-Gm-Gg: Acq92OEv/DdBO4KPDbLhKnADIhlS7EuvtctajCG/4H7rI3kFFUbyIH1oFY+F4F2z5oT 7rLxmmCJCNLuzZchxtNqnpsaGj783mDdW7AHp4iF/EWKlguw2zM79cVCHiLRkJpeuoz493ph/gg oVdI2MjYqB7gr7KgREyYKcX/XDlaGZDljj9FqqNPibBDOGxX4qfyZfN9kXZZVlsoZzTbAizfxE8 Yqpey9YcQDergcI79ml4s4Mhrn5+vW6xzJ60OyvbvyHKJDGnOeGdT5zUGV24MuyktxCm1MtFTlh XCP2kgY8Vp+/2s5iZ2MkZJ4eT+XHpQwb+ppP/spcWiZSr2D6ZDNHmkuu1GJHS7O7kuw7HFOcP6m 0qItiFyGiayABpHwmsH/7B2v1amdf6aK7kp0SbCX2/432BTuOwk007WssaaDaOFRKNDPwa/zXpn yJn/qb94ZiVrxO1gj3/Q06y9fwLkzTSL6DrgrC6g== X-Received: by 2002:a05:620a:4590:b0:915:89d4:df22 with SMTP id af79cd13be357-915a9db5d00mr2823551485a.50.1780963563183; Mon, 08 Jun 2026 17:06:03 -0700 (PDT) Received: from localhost ([161.35.96.86]) by smtp.gmail.com with UTF8SMTPSA id af79cd13be357-9158a3bf5dasm1896316485a.36.2026.06.08.17.06.01 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 08 Jun 2026 17:06:01 -0700 (PDT) From: Samuel Moelius To: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= Cc: Samuel Moelius , Jamal Hadi Salim , Jiri Pirko , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , cake@lists.bufferbloat.net (moderated list:CAKE QDISC), netdev@vger.kernel.org (open list:TC subsystem), linux-kernel@vger.kernel.org (open list) Date: Tue, 9 Jun 2026 00:00:59 +0000 Message-ID: <20260609000059.1234072.bc8844db0200.cake-overhead-underflow@trailofbits.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-MailFrom: sam.moelius@trailofbits.com X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation Message-ID-Hash: 24CGPDFQTU7S26NIKPNZGZG4SWKEI2GE X-Message-ID-Hash: 24CGPDFQTU7S26NIKPNZGZG4SWKEI2GE X-Mailman-Approved-At: Tue, 09 Jun 2026 14:26:24 +0200 X-Mailman-Version: 3.3.10 Precedence: list Subject: [Cake] [PATCH] net/sched: cake: reject overhead values that underflow length List-Id: Cake - FQ_codel the next generation Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: CAKE accepts overhead values that can make adjusted packet length arithmetic underflow. A negative effective length can wrap through unsigned arithmetic and become a large value. Such configurations make rate accounting depend on integer wraparound rather than on the packet size userspace intended to model. Validate overhead settings before using them in adjusted length calculations. Assisted-by: Codex:gpt-5.5-cyber-preview Signed-off-by: Samuel Moelius --- net/sched/sch_cake.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c index 5862933be8d7..03972e5525b5 100644 --- a/net/sched/sch_cake.c +++ b/net/sched/sch_cake.c @@ -2308,12 +2308,18 @@ static void cake_reset(struct Qdisc *sch) cake_clear_tin(sch, c); } +static const struct netlink_range_validation_signed cake_overhead_range = { + .min = -64, + .max = 256, +}; + static const struct nla_policy cake_policy[TCA_CAKE_MAX + 1] = { [TCA_CAKE_BASE_RATE64] = { .type = NLA_U64 }, [TCA_CAKE_DIFFSERV_MODE] = { .type = NLA_U32 }, [TCA_CAKE_ATM] = { .type = NLA_U32 }, [TCA_CAKE_FLOW_MODE] = { .type = NLA_U32 }, - [TCA_CAKE_OVERHEAD] = { .type = NLA_S32 }, + [TCA_CAKE_OVERHEAD] = + NLA_POLICY_FULL_RANGE_SIGNED(NLA_S32, &cake_overhead_range), [TCA_CAKE_RTT] = { .type = NLA_U32 }, [TCA_CAKE_TARGET] = { .type = NLA_U32 }, [TCA_CAKE_AUTORATE] = { .type = NLA_U32 }, -- 2.43.0