From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mail.toke.dk; spf=pass smtp.mailfrom=; dkim=pass header.d=trailofbits.com; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=trailofbits.com policy.dmarc=reject Received: from mail-qk1-x736.google.com (mail-qk1-x736.google.com [IPv6:2607:f8b0:4864:20::736]) by mail.toke.dk (Postfix) with ESMTPS id 23D6D11E849C for ; Wed, 10 Jun 2026 01:30:17 +0200 (CEST) Received: by mail-qk1-x736.google.com with SMTP id af79cd13be357-9157b949fc7so664719185a.3 for ; Tue, 09 Jun 2026 16:30:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=trailofbits.com; s=google; t=1781047815; x=1781652615; darn=lists.bufferbloat.net; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Zj2TTUGE9JGo0G5Kz2j/PUb2+++ltpKUn7Tzej8LBcI=; b=RfkNdtFx9jMM6wfuJr5OoW/17/fyPzgGzRytKIvEMOhfjU4dItZxMvfbmUnt8rYai6 2/VW7nzWn7d0sWCfZxJZA1xcoEjefV4QJpO18WpGcbAGsRqCoJ768r9c/ar2rOHaOYHa peffajnh5jmp68M++idjmO88IEMmZ7fW0WbjZ2Slx41GH/Gy4vvLEeFkuLjvllrxykbI 8HeOMNztYZ4+U2IivN63+3fUTR1tjAG5xdIGspYJt5nd6oR7fxvdeG9RTlFBOeLOuS+F xavRJ5PgSx2GmpvjiEMdn0e79h5I3M6PHBTQYxizAb7ToHi2NWAcCTSWFnCZXtIhlepj RpDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781047815; x=1781652615; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Zj2TTUGE9JGo0G5Kz2j/PUb2+++ltpKUn7Tzej8LBcI=; b=BaLK5OeyFqr03ktw2bmkjkvWDqK91obOvZ7a1zjqliVHqUcz0ZPMdVJwKMegyxZfT2 L2uc8AEfTGxAe/svsbBhPaQYf2lGmEd6vlB6HRyRJL4DkEB1OJsGjIy4opTRqPddmuiP wf5hLhfwZGt4XiUz8dZmJo0gd3mWTBMcPB76mxJVzTXFNPKDZQMiadChQ3pF6JSjU82k /hrfLqapwq+UllPTbymdPlfjxNbQK1HseXSvH0oDMmXXRhowQlLZ8n08HmNB5EeC0Khv hCdJ1yWFqrf4rP+IdwWfzUg4OBFENb1IQmAm6uoSqKab3KspF2LxQp/DmT2r9fVbxfQv v1Xg== X-Forwarded-Encrypted: i=1; AFNElJ/AE1Z8TDjO+vX/6CwQMJt41blmt15XmhJ9gFD7+p01efuYo9AVlJrHmA9gGPT8kqdhDJnn@lists.bufferbloat.net X-Gm-Message-State: AOJu0YwnGQmQ7RSaPrJ6KjTV1eDFhJ5eotiCxGhNiRz4NL+QmxI+w0EF SYBJl1deidun4rN6GWRyHzMha0HqU0OUx7x+RV93lilwY3oIhhq6aLwv1zraIWsHiEc= X-Gm-Gg: Acq92OGSiHxx2OrqxnquMR0hHXdtx1Yar35/RTfF20OD4g1Yi0C6xnKEaEtjWQ7xbzL EOJxrKGbbOUqcdF3kr5MkI7pQzUQ6vi6L9++PJYfU/Al4IXQMBO+zgZdKI4oj1CYVU7CtX21F+X TeLtZeszoytKNHgosqeggNN8rMIHCEFOyaUlauAi70PnxE2P5TaKb4Bc6ZUfZ7nHTNWSLqQq8gO wI5NvMvv1/b/isNquJqwu+xfvTgaJrIXTnPKe7jfx06ITQOLUPjITyStpaYhvvKtztByW34yASN FuhjvBE1VFidzvk46QTmQ1sVNipqYI/LnR+qKyla4BJihltjj95eVeId/qM+NmVoNe73Hst1uG3 9YKQD8ur5CQVeXm+VJQIqyodlWPpsolzeF43m8knxfhvTuRevMeLEW/Ymvauwbro80ydrIwDKdg CazVPVd4m0wF5HuIw0KCvXTF7TBcW+U/RXO4PxEICCM7qCM586 X-Received: by 2002:a05:620a:649c:b0:915:9f87:eaaa with SMTP id af79cd13be357-915e8316469mr811336685a.42.1781047815198; Tue, 09 Jun 2026 16:30:15 -0700 (PDT) Received: from localhost ([161.35.96.86]) by smtp.gmail.com with UTF8SMTPSA id af79cd13be357-9158a37cae4sm2247735485a.29.2026.06.09.16.30.13 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 09 Jun 2026 16:30:14 -0700 (PDT) From: Samuel Moelius To: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= Cc: Samuel Moelius , Jamal Hadi Salim , Jiri Pirko , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , cake@lists.bufferbloat.net (moderated list:CAKE QDISC), netdev@vger.kernel.org (open list:TC subsystem), linux-kernel@vger.kernel.org (open list) Date: Tue, 9 Jun 2026 23:29:36 +0000 Message-ID: <20260609232935.1602659.8545fdb04fbe.cake-overhead-underflow@trailofbits.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-MailFrom: sam.moelius@trailofbits.com X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation Message-ID-Hash: LNU7I6YMHPLX5TMOVSFYUXAVY2Y6XSQP X-Message-ID-Hash: LNU7I6YMHPLX5TMOVSFYUXAVY2Y6XSQP X-Mailman-Approved-At: Wed, 10 Jun 2026 09:43:18 +0200 X-Mailman-Version: 3.3.10 Precedence: list Subject: [Cake] [PATCH net v2] net/sched: cake: reject overhead values that underflow length List-Id: Cake - FQ_codel the next generation Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: CAKE accepts overhead values that can make adjusted packet length arithmetic underflow. A negative effective length can wrap through unsigned arithmetic and become a large value. Such configurations make rate accounting depend on integer wraparound rather than on the packet size userspace intended to model. Validate overhead settings before using them in adjusted length calculations. Fixes: a729b7f0bd5b ("sch_cake: Add overhead compensation support to the rate shaper") Assisted-by: Codex:gpt-5.5-cyber-preview Signed-off-by: Samuel Moelius --- Changes in v2: - Add fixes tag net/sched/sch_cake.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c index 5862933be8d7..03972e5525b5 100644 --- a/net/sched/sch_cake.c +++ b/net/sched/sch_cake.c @@ -2308,12 +2308,18 @@ static void cake_reset(struct Qdisc *sch) cake_clear_tin(sch, c); } +static const struct netlink_range_validation_signed cake_overhead_range = { + .min = -64, + .max = 256, +}; + static const struct nla_policy cake_policy[TCA_CAKE_MAX + 1] = { [TCA_CAKE_BASE_RATE64] = { .type = NLA_U64 }, [TCA_CAKE_DIFFSERV_MODE] = { .type = NLA_U32 }, [TCA_CAKE_ATM] = { .type = NLA_U32 }, [TCA_CAKE_FLOW_MODE] = { .type = NLA_U32 }, - [TCA_CAKE_OVERHEAD] = { .type = NLA_S32 }, + [TCA_CAKE_OVERHEAD] = + NLA_POLICY_FULL_RANGE_SIGNED(NLA_S32, &cake_overhead_range), [TCA_CAKE_RTT] = { .type = NLA_U32 }, [TCA_CAKE_TARGET] = { .type = NLA_U32 }, [TCA_CAKE_AUTORATE] = { .type = NLA_U32 }, -- 2.43.0