diff options
| author | Cong Wang <xiyou.wangcong@gmail.com> | 2020-01-22 15:42:02 -0800 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-01-29 10:24:37 +0100 |
| commit | 627996d4ca0c16be2c5ff83803979a613aadefda (patch) | |
| tree | 7cd70c2d9375d11e5ed92c0bde23733586656d7f | |
| parent | 6769626ba9a6b3127aff667be9b0a7f622fe7a92 (diff) | |
| download | linux-rt-627996d4ca0c16be2c5ff83803979a613aadefda.tar.gz | |
net_sched: fix datalen for ematch
[ Upstream commit 61678d28d4a45ef376f5d02a839cc37509ae9281 ]
syzbot reported an out-of-bound access in em_nbyte. As initially
analyzed by Eric, this is because em_nbyte sets its own em->datalen
in em_nbyte_change() other than the one specified by user, but this
value gets overwritten later by its caller tcf_em_validate().
We should leave em->datalen untouched to respect their choices.
I audit all the in-tree ematch users, all of those implement
->change() set em->datalen, so we can just avoid setting it twice
in this case.
Reported-and-tested-by: syzbot+5af9a90dad568aa9f611@syzkaller.appspotmail.com
Reported-by: syzbot+2f07903a5b05e7f36410@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | net/sched/ematch.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/sched/ematch.c b/net/sched/ematch.c index fbb7ebfc58c6..b0b04b3c0896 100644 --- a/net/sched/ematch.c +++ b/net/sched/ematch.c @@ -267,12 +267,12 @@ static int tcf_em_validate(struct tcf_proto *tp, } em->data = (unsigned long) v; } + em->datalen = data_len; } } em->matchid = em_hdr->matchid; em->flags = em_hdr->flags; - em->datalen = data_len; em->net = net; err = 0; |