netfilter: nft_limit: reject configurations that cause integer overflow

pvts-mat · PlaidCat · commit dfdd6ef8086d · 2025-10-16T12:50:30.000-04:00
jira VULN-8197 cve CVE-2024-26668 commit-author Florian Westphal <fw@strlen.de> commit c9d9eb9 upstream-diff Used `limit' struct instead of `priv' because of missing 369b6cb. Also added casts to `u64' where appropriate as inspired by the RH's LTS 9.4 backport of this patch embedded in 270e20b. Reject bogus configs where internal token counter wraps around. This only occurs with very very large requests, such as 17gbyte/s. Its better to reject this rather than having incorrect ratelimit. Fixes: d2168e8 ("netfilter: nft_limit: add per-byte limiting") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit c9d9eb9) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
diff --git a/net/netfilter/nft_limit.c b/net/netfilter/nft_limit.c
@@ -54,16 +54,18 @@ static inline bool nft_limit_eval(struct nft_limit *limit, u64 cost)
 static int nft_limit_init(struct nft_limit *limit,
 			  const struct nlattr * const tb[], bool pkts)
 {
-	u64 unit, tokens;
+	u64 unit, tokens, rate_with_burst;
 
 	if (tb[NFTA_LIMIT_RATE] == NULL ||
 	    tb[NFTA_LIMIT_UNIT] == NULL)
 		return -EINVAL;
 
 	limit->rate = be64_to_cpu(nla_get_be64(tb[NFTA_LIMIT_RATE]));
+	if (limit->rate == 0)
+		return -EINVAL;
+
 	unit = be64_to_cpu(nla_get_be64(tb[NFTA_LIMIT_UNIT]));
-	limit->nsecs = unit * NSEC_PER_SEC;
-	if (limit->rate == 0 || limit->nsecs < unit)
+	if (check_mul_overflow(unit, (u64)NSEC_PER_SEC, &limit->nsecs))
 		return -EOVERFLOW;
 
 	if (tb[NFTA_LIMIT_BURST])
@@ -72,18 +74,25 @@ static int nft_limit_init(struct nft_limit *limit,
 	if (pkts && limit->burst == 0)
 		limit->burst = NFT_LIMIT_PKT_BURST_DEFAULT;
 
-	if (limit->rate + limit->burst < limit->rate)
+	if (check_add_overflow(limit->rate, (u64)limit->burst, &rate_with_burst))
 		return -EOVERFLOW;
 
 	if (pkts) {
-		tokens = div64_u64(limit->nsecs, limit->rate) * limit->burst;
+		u64 tmp = div64_u64(limit->nsecs, limit->rate);
+
+		if (check_mul_overflow(tmp, (u64)limit->burst, &tokens))
+			return -EOVERFLOW;
 	} else {
+		u64 tmp;
+
 		/* The token bucket size limits the number of tokens can be
 		 * accumulated. tokens_max specifies the bucket size.
 		 * tokens_max = unit * (rate + burst) / rate.
 		 */
-		tokens = div64_u64(limit->nsecs * (limit->rate + limit->burst),
-				 limit->rate);
+		if (check_mul_overflow(limit->nsecs, rate_with_burst, &tmp))
+			return -EOVERFLOW;
+
+		tokens = div64_u64(tmp, limit->rate);
 	}
 
 	limit->tokens = tokens;
