vsock: fix buffer size clamping order

In vsock_update_buffer_size(), the buffer size was being clamped to the
maximum first, and then to the minimum. If a user sets a minimum buffer
size larger than the maximum, the minimum check overrides the maximum
check, inverting the constraint.

This breaks the intended socket memory boundaries by allowing the
vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.

Fix this by checking the minimum first, and then the maximum. This
ensures the buffer size never exceeds the buffer_max_size.

Fixes: b9f2b0ffde0c ("vsock: handle buffer_size sockopts in the core")
Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Norbert Szetei <norbert@doyensec.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://patch.msgid.link/180118C5-8BCF-4A63-A305-4EE53A34AB9C@doyensec.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index d912ed2f012a3e9c503f1acf98c72b48aeaa58c1..08f4dfb9782c284f0bdbf3e9ef7c4d847a517629 100644 (file)
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -1951,12 +1951,12 @@ static void vsock_update_buffer_size(struct vsock_sock *vsk,
                                     const struct vsock_transport *transport,
                                     u64 val)
 {
-       if (val > vsk->buffer_max_size)
-               val = vsk->buffer_max_size;
-
        if (val < vsk->buffer_min_size)
                val = vsk->buffer_min_size;
 
+       if (val > vsk->buffer_max_size)
+               val = vsk->buffer_max_size;
+
        if (val != vsk->buffer_size &&
            transport && transport->notify_buffer_size)
                transport->notify_buffer_size(vsk, &val);