Skip to content

[LTS 9.2] CVE-2024-26585, CVE-2024-26668 #623

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 16, 2025
Merged

[LTS 9.2] CVE-2024-26585, CVE-2024-26668 #623

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bce037a
tls: fix race between tx work scheduling and socket close
pvts-mat Oct 13, 2025
16e1adf
netfilter: nft_limit: reject configurations that cause integer overflow
pvts-mat Oct 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 16 additions & 7 deletions net/netfilter/nft_limit.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,16 +54,18 @@ static inline bool nft_limit_eval(struct nft_limit *limit, u64 cost)
static int nft_limit_init(struct nft_limit *limit,
const struct nlattr * const tb[], bool pkts)
{
u64 unit, tokens;
u64 unit, tokens, rate_with_burst;

if (tb[NFTA_LIMIT_RATE] == NULL ||
tb[NFTA_LIMIT_UNIT] == NULL)
return -EINVAL;

limit->rate = be64_to_cpu(nla_get_be64(tb[NFTA_LIMIT_RATE]));
if (limit->rate == 0)
return -EINVAL;

unit = be64_to_cpu(nla_get_be64(tb[NFTA_LIMIT_UNIT]));
limit->nsecs = unit * NSEC_PER_SEC;
if (limit->rate == 0 || limit->nsecs < unit)
if (check_mul_overflow(unit, (u64)NSEC_PER_SEC, &limit->nsecs))
return -EOVERFLOW;

if (tb[NFTA_LIMIT_BURST])
Expand All @@ -72,18 +74,25 @@ static int nft_limit_init(struct nft_limit *limit,
if (pkts && limit->burst == 0)
limit->burst = NFT_LIMIT_PKT_BURST_DEFAULT;

if (limit->rate + limit->burst < limit->rate)
if (check_add_overflow(limit->rate, (u64)limit->burst, &rate_with_burst))
return -EOVERFLOW;

if (pkts) {
tokens = div64_u64(limit->nsecs, limit->rate) * limit->burst;
u64 tmp = div64_u64(limit->nsecs, limit->rate);

if (check_mul_overflow(tmp, (u64)limit->burst, &tokens))
return -EOVERFLOW;
} else {
u64 tmp;

/* The token bucket size limits the number of tokens can be
* accumulated. tokens_max specifies the bucket size.
* tokens_max = unit * (rate + burst) / rate.
*/
tokens = div64_u64(limit->nsecs * (limit->rate + limit->burst),
limit->rate);
if (check_mul_overflow(limit->nsecs, rate_with_burst, &tmp))
return -EOVERFLOW;

tokens = div64_u64(tmp, limit->rate);
}

limit->tokens = tokens;
Expand Down
16 changes: 6 additions & 10 deletions net/tls/tls_sw.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -427,7 +427,6 @@ static void tls_encrypt_done(struct crypto_async_request *req, int err)
struct scatterlist *sge;
struct sk_msg *msg_en;
struct tls_rec *rec;
bool ready = false;
int pending;

rec = container_of(aead_req, struct tls_rec, aead_req);
Expand Down Expand Up @@ -459,8 +458,12 @@ static void tls_encrypt_done(struct crypto_async_request *req, int err)
/* If received record is at head of tx_list, schedule tx */
first_rec = list_first_entry(&ctx->tx_list,
struct tls_rec, list);
if (rec == first_rec)
ready = true;
if (rec == first_rec) {
/* Schedule the transmission */
if (!test_and_set_bit(BIT_TX_SCHEDULED,
&ctx->tx_bitmask))
schedule_delayed_work(&ctx->tx_work.work, 1);
}
}

spin_lock_bh(&ctx->encrypt_compl_lock);
Expand All @@ -469,13 +472,6 @@ static void tls_encrypt_done(struct crypto_async_request *req, int err)
if (!pending && ctx->async_notify)
complete(&ctx->async_wait.completion);
spin_unlock_bh(&ctx->encrypt_compl_lock);

if (!ready)
return;

/* Schedule the transmission */
if (!test_and_set_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask))
schedule_delayed_work(&ctx->tx_work.work, 1);
}

static int tls_do_encryption(struct sock *sk,
Expand Down
Loading