summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCong Wang <cong.wang@bytedance.com>2022-12-18 01:17:07 +0300
committerDavid S. Miller <davem@davemloft.net>2022-12-19 12:43:18 +0300
commit9cd3fd2054c3b3055163accbf2f31a4426f10317 (patch)
tree6fe1afa00c4329bc39273b4a4a833d4cb603cd5c
parent89529367293c975c3580f49f38568f44848d5683 (diff)
downloadlinux-9cd3fd2054c3b3055163accbf2f31a4426f10317.tar.xz
net_sched: reject TCF_EM_SIMPLE case for complex ematch module
When TCF_EM_SIMPLE was introduced, it is supposed to be convenient for ematch implementation: https://lore.kernel.org/all/20050105110048.GO26856@postel.suug.ch/ "You don't have to, providing a 32bit data chunk without TCF_EM_SIMPLE set will simply result in allocating & copy. It's an optimization, nothing more." So if an ematch module provides ops->datalen that means it wants a complex data structure (saved in its em->data) instead of a simple u32 value. We should simply reject such a combination, otherwise this u32 could be misinterpreted as a pointer. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-and-tested-by: syzbot+4caeae4c7103813598ae@syzkaller.appspotmail.com Reported-by: Jun Nie <jun.nie@linaro.org> Cc: Jamal Hadi Salim <jhs@mojatatu.com> Cc: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Cong Wang <cong.wang@bytedance.com> Acked-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/sched/ematch.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/sched/ematch.c b/net/sched/ematch.c
index 4ce681361851..5c1235e6076a 100644
--- a/net/sched/ematch.c
+++ b/net/sched/ematch.c
@@ -255,6 +255,8 @@ static int tcf_em_validate(struct tcf_proto *tp,
* the value carried.
*/
if (em_hdr->flags & TCF_EM_SIMPLE) {
+ if (em->ops->datalen > 0)
+ goto errout;
if (data_len < sizeof(u32))
goto errout;
em->data = *(u32 *) data;