diff options
author | Cong Wang <cong.wang@bytedance.com> | 2022-12-18 01:17:07 +0300 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2022-12-19 12:43:18 +0300 |
commit | 9cd3fd2054c3b3055163accbf2f31a4426f10317 (patch) | |
tree | 6fe1afa00c4329bc39273b4a4a833d4cb603cd5c | |
parent | 89529367293c975c3580f49f38568f44848d5683 (diff) | |
download | linux-9cd3fd2054c3b3055163accbf2f31a4426f10317.tar.xz |
net_sched: reject TCF_EM_SIMPLE case for complex ematch module
When TCF_EM_SIMPLE was introduced, it is supposed to be convenient
for ematch implementation:
https://lore.kernel.org/all/20050105110048.GO26856@postel.suug.ch/
"You don't have to, providing a 32bit data chunk without TCF_EM_SIMPLE
set will simply result in allocating & copy. It's an optimization,
nothing more."
So if an ematch module provides ops->datalen that means it wants a
complex data structure (saved in its em->data) instead of a simple u32
value. We should simply reject such a combination, otherwise this u32
could be misinterpreted as a pointer.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-and-tested-by: syzbot+4caeae4c7103813598ae@syzkaller.appspotmail.com
Reported-by: Jun Nie <jun.nie@linaro.org>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/sched/ematch.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/sched/ematch.c b/net/sched/ematch.c index 4ce681361851..5c1235e6076a 100644 --- a/net/sched/ematch.c +++ b/net/sched/ematch.c @@ -255,6 +255,8 @@ static int tcf_em_validate(struct tcf_proto *tp, * the value carried. */ if (em_hdr->flags & TCF_EM_SIMPLE) { + if (em->ops->datalen > 0) + goto errout; if (data_len < sizeof(u32)) goto errout; em->data = *(u32 *) data; |