Skip to content

Commit 9babe82

Browse files
fomichevAlexei Starovoitov
fomichev
authored and
Alexei Starovoitov
committed
bpf: always allocate at least 16 bytes for setsockopt hook
Since we always allocate memory, allocate just a little bit more for the BPF program in case it need to override user input with bigger value. The canonical example is TCP_CONGESTION where input string might be too small to override (nv -> bbr or cubic). 16 bytes are chosen to match the size of TCP_CA_NAME_MAX and can be extended in the future if needed. Signed-off-by: Stanislav Fomichev <[email protected]> Signed-off-by: Alexei Starovoitov <[email protected]>
1 parent a98bf57 commit 9babe82

File tree

1 file changed

+13
-4
lines changed

1 file changed

+13
-4
lines changed

kernel/bpf/cgroup.c

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -964,7 +964,6 @@ static int sockopt_alloc_buf(struct bpf_sockopt_kern *ctx, int max_optlen)
964964
return -ENOMEM;
965965

966966
ctx->optval_end = ctx->optval + max_optlen;
967-
ctx->optlen = max_optlen;
968967

969968
return 0;
970969
}
@@ -984,7 +983,7 @@ int __cgroup_bpf_run_filter_setsockopt(struct sock *sk, int *level,
984983
.level = *level,
985984
.optname = *optname,
986985
};
987-
int ret;
986+
int ret, max_optlen;
988987

989988
/* Opportunistic check to see whether we have any BPF program
990989
* attached to the hook so we don't waste time allocating
@@ -994,10 +993,18 @@ int __cgroup_bpf_run_filter_setsockopt(struct sock *sk, int *level,
994993
__cgroup_bpf_prog_array_is_empty(cgrp, BPF_CGROUP_SETSOCKOPT))
995994
return 0;
996995

997-
ret = sockopt_alloc_buf(&ctx, *optlen);
996+
/* Allocate a bit more than the initial user buffer for
997+
* BPF program. The canonical use case is overriding
998+
* TCP_CONGESTION(nv) to TCP_CONGESTION(cubic).
999+
*/
1000+
max_optlen = max_t(int, 16, *optlen);
1001+
1002+
ret = sockopt_alloc_buf(&ctx, max_optlen);
9981003
if (ret)
9991004
return ret;
10001005

1006+
ctx.optlen = *optlen;
1007+
10011008
if (copy_from_user(ctx.optval, optval, *optlen) != 0) {
10021009
ret = -EFAULT;
10031010
goto out;
@@ -1016,7 +1023,7 @@ int __cgroup_bpf_run_filter_setsockopt(struct sock *sk, int *level,
10161023
if (ctx.optlen == -1) {
10171024
/* optlen set to -1, bypass kernel */
10181025
ret = 1;
1019-
} else if (ctx.optlen > *optlen || ctx.optlen < -1) {
1026+
} else if (ctx.optlen > max_optlen || ctx.optlen < -1) {
10201027
/* optlen is out of bounds */
10211028
ret = -EFAULT;
10221029
} else {
@@ -1063,6 +1070,8 @@ int __cgroup_bpf_run_filter_getsockopt(struct sock *sk, int level,
10631070
if (ret)
10641071
return ret;
10651072

1073+
ctx.optlen = max_optlen;
1074+
10661075
if (!retval) {
10671076
/* If kernel getsockopt finished successfully,
10681077
* copy whatever was returned to the user back

0 commit comments

Comments
 (0)