summaryrefslogtreecommitdiffstats
path: root/net/sched/ematch.c
diff options
context:
space:
mode:
authorCong Wang <xiyou.wangcong@gmail.com>2020-01-23 00:42:02 +0100
committerDavid S. Miller <davem@davemloft.net>2020-01-23 21:34:42 +0100
commit61678d28d4a45ef376f5d02a839cc37509ae9281 (patch)
treef3a4b4805448da26fd0d43423a0ae0c2905e4d98 /net/sched/ematch.c
parentMerge branch 'Fixes-for-SONIC-ethernet-driver' (diff)
downloadlinux-61678d28d4a45ef376f5d02a839cc37509ae9281.tar.xz
linux-61678d28d4a45ef376f5d02a839cc37509ae9281.zip
net_sched: fix datalen for ematch
syzbot reported an out-of-bound access in em_nbyte. As initially analyzed by Eric, this is because em_nbyte sets its own em->datalen in em_nbyte_change() other than the one specified by user, but this value gets overwritten later by its caller tcf_em_validate(). We should leave em->datalen untouched to respect their choices. I audit all the in-tree ematch users, all of those implement ->change() set em->datalen, so we can just avoid setting it twice in this case. Reported-and-tested-by: syzbot+5af9a90dad568aa9f611@syzkaller.appspotmail.com Reported-by: syzbot+2f07903a5b05e7f36410@syzkaller.appspotmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to '')
-rw-r--r--net/sched/ematch.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/sched/ematch.c b/net/sched/ematch.c
index 8f2ad706784d..d0140a92694a 100644
--- a/net/sched/ematch.c
+++ b/net/sched/ematch.c
@@ -263,12 +263,12 @@ static int tcf_em_validate(struct tcf_proto *tp,
}
em->data = (unsigned long) v;
}
+ em->datalen = data_len;
}
}
em->matchid = em_hdr->matchid;
em->flags = em_hdr->flags;
- em->datalen = data_len;
em->net = net;
err = 0;