Commit 4da4e4bd authored Nov 06, 2025 by Nate Karstens Committed by Jakub Kicinski Nov 07, 2025

strparser: Fix signed/unsigned mismatch bug



The `len` member of the sk_buff is an unsigned int. This is cast to
`ssize_t` (a signed type) for the first sk_buff in the comparison,
but not the second sk_buff. On 32-bit systems, this can result in
an integer underflow for certain values because unsigned arithmetic
is being used.

This appears to be an oversight: if the intention was to use unsigned
arithmetic, then the first cast would have been omitted. The change
ensures both len values are cast to `ssize_t`.

The underflow causes an issue with ktls when multiple TLS PDUs are
included in a single TCP segment. The mainline kernel does not use
strparser for ktls anymore, but this is still useful for other
features that still use strparser, and for backporting.

Signed-off-by: Nate Karstens <nate.karstens@garmin.com>
Cc: stable@vger.kernel.org
Fixes: 43a0c675 ("strparser: Stream parser for messages")
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Link: https://patch.msgid.link/20251106222835.1871628-1-nate.karstens@garmin.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 74d44324

net/strparser/strparser.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -238,7 +238,7 @@ static int __strp_recv(read_descriptor_t desc, struct sk_buff orig_skb,
		strp_parser_err(strp, -EMSGSIZE, desc);
		break;
		} else if (len <= (ssize_t)head->len -
		skb->len - stm->strp.offset) {
		(ssize_t)skb->len - stm->strp.offset) {
		/* Length must be into new skb (and also
		* greater than zero)
		*/