net_sched: fix datalen for ematch
[ Upstream commit61678d28d4] syzbot reported an out-of-bound access in em_nbyte. As initially analyzed by Eric, this is because em_nbyte sets its own em->datalen in em_nbyte_change() other than the one specified by user, but this value gets overwritten later by its caller tcf_em_validate(). We should leave em->datalen untouched to respect their choices. I audit all the in-tree ematch users, all of those implement ->change() set em->datalen, so we can just avoid setting it twice in this case. Reported-and-tested-by: syzbot+5af9a90dad568aa9f611@syzkaller.appspotmail.com Reported-by: syzbot+2f07903a5b05e7f36410@syzkaller.appspotmail.com Fixes:1da177e4c3("Linux-2.6.12-rc2") Cc: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Cong Wang
Greg Kroah-Hartman
parent
888934af18
commit
b6a9a954b3
|
|
@ -263,12 +263,12 @@ static int tcf_em_validate(struct tcf_proto *tp,
|
|||
}
|
||||
em->data = (unsigned long) v;
|
||||
}
|
||||
em->datalen = data_len;
|
||||
}
|
||||
}
|
||||
|
||||
em->matchid = em_hdr->matchid;
|
||||
em->flags = em_hdr->flags;
|
||||
em->datalen = data_len;
|
||||
em->net = net;
|
||||
|
||||
err = 0;
|
||||
|
|
|
|||
Loading…
Reference in New Issue