summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorstephen hemminger <stephen@networkplumber.org>2013-08-02 07:32:07 +0200
committerDavid S. Miller <davem@davemloft.net>2013-08-02 23:52:20 +0200
commitcbd375567f7e4811b1c721f75ec519828ac6583f (patch)
treeaf09c22cc7ee9adb1d3758c07cd2ceabcc50b781
parentmacvlan: handle set_promiscuity failures (diff)
downloadlinux-cbd375567f7e4811b1c721f75ec519828ac6583f.tar.xz
linux-cbd375567f7e4811b1c721f75ec519828ac6583f.zip
htb: fix sign extension bug
When userspace passes a large priority value the assignment of the unsigned value hopt->prio to signed int cl->prio causes cl->prio to become negative and the comparison is with TC_HTB_NUMPRIO is always false. The result is that HTB crashes by referencing outside the array when processing packets. With this patch the large value wraps around like other values outside the normal range. See: https://bugzilla.kernel.org/show_bug.cgi?id=60669 Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/sched/sch_htb.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c
index c2124ea29f45..45e751527dfc 100644
--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -100,7 +100,7 @@ struct htb_class {
struct psched_ratecfg ceil;
s64 buffer, cbuffer;/* token bucket depth/rate */
s64 mbuffer; /* max wait time */
- int prio; /* these two are used only by leaves... */
+ u32 prio; /* these two are used only by leaves... */
int quantum; /* but stored for parent-to-leaf return */
struct tcf_proto *filter_list; /* class attached filters */