netfilter: nft_limit: reject configurations that cause integer overflow

jira VULN-8197
cve CVE-2024-26668
commit-author Florian Westphal <[email protected]>
commit c9d9eb9
upstream-diff Used `limit' struct instead of `priv' because of missing
  369b6cb. Also added casts to `u64'
  where appropriate as inspired by the RH's LTS 9.4 backport of this patch
  embedded in 270e20b.

Reject bogus configs where internal token counter wraps around.
This only occurs with very very large requests, such as 17gbyte/s.

Its better to reject this rather than having incorrect ratelimit.

Fixes: d2168e8 ("netfilter: nft_limit: add per-byte limiting")
	Signed-off-by: Florian Westphal <[email protected]>
	Signed-off-by: Pablo Neira Ayuso <[email protected]>
(cherry picked from commit c9d9eb9)
	Signed-off-by: Marcin Wcisło <[email protected]>

Author: pvts-mat

net/netfilter/nft_limit.c

@@ -54,16 +54,18 @@ static inline bool nft_limit_eval(struct nft_limit *limit, u64 cost)
 static int nft_limit_init(struct nft_limit *limit,
 			  const struct nlattr * const tb[], bool pkts)
 {
-	u64 unit, tokens;
+	u64 unit, tokens, rate_with_burst;
 
 	if (tb[NFTA_LIMIT_RATE] == NULL ||
 	    tb[NFTA_LIMIT_UNIT] == NULL)
 		return -EINVAL;
 
 	limit->rate = be64_to_cpu(nla_get_be64(tb[NFTA_LIMIT_RATE]));
+	if (limit->rate == 0)
+		return -EINVAL;
+
 	unit = be64_to_cpu(nla_get_be64(tb[NFTA_LIMIT_UNIT]));
-	limit->nsecs = unit * NSEC_PER_SEC;
-	if (limit->rate == 0 || limit->nsecs < unit)
+	if (check_mul_overflow(unit, (u64)NSEC_PER_SEC, &limit->nsecs))
 		return -EOVERFLOW;
 
 	if (tb[NFTA_LIMIT_BURST])
@@ -72,18 +74,25 @@ static int nft_limit_init(struct nft_limit *limit,
 	if (pkts && limit->burst == 0)
 		limit->burst = NFT_LIMIT_PKT_BURST_DEFAULT;
 
-	if (limit->rate + limit->burst < limit->rate)
+	if (check_add_overflow(limit->rate, (u64)limit->burst, &rate_with_burst))
 		return -EOVERFLOW;
 
 	if (pkts) {
-		tokens = div64_u64(limit->nsecs, limit->rate) * limit->burst;
+		u64 tmp = div64_u64(limit->nsecs, limit->rate);
+
+		if (check_mul_overflow(tmp, (u64)limit->burst, &tokens))
+			return -EOVERFLOW;
 	} else {
+		u64 tmp;
+
 		/* The token bucket size limits the number of tokens can be
 		 * accumulated. tokens_max specifies the bucket size.
 		 * tokens_max = unit * (rate + burst) / rate.
 		 */
-		tokens = div64_u64(limit->nsecs * (limit->rate + limit->burst),
-				 limit->rate);
+		if (check_mul_overflow(limit->nsecs, rate_with_burst, &tmp))
+			return -EOVERFLOW;
+
+		tokens = div64_u64(tmp, limit->rate);
 	}
 
 	limit->tokens = tokens;