summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorDaniel Borkmann <daniel@iogearbox.net>2023-08-25 15:49:46 +0200
committerDavid S. Miller <davem@davemloft.net>2023-08-28 11:18:03 +0200
commit3a1e2f43985af0dea5750c6436f8cb979780c084 (patch)
tree954dc92c31f6c9b06407e75ab7b37eede2c8505c /net
parentnet: Fix skb consume leak in sch_handle_egress (diff)
downloadlinux-3a1e2f43985af0dea5750c6436f8cb979780c084.tar.xz
linux-3a1e2f43985af0dea5750c6436f8cb979780c084.zip
net: Make consumed action consistent in sch_handle_egress
While looking at TC_ACT_* handling, the TC_ACT_CONSUMED is only handled in sch_handle_ingress but not sch_handle_egress. This was added via cd11b164073b ("net/tc: introduce TC_ACT_REINSERT.") and e5cf1baf92cb ("act_mirred: use TC_ACT_REINSERT when possible") and later got renamed into TC_ACT_CONSUMED via 720f22fed81b ("net: sched: refactor reinsert action"). The initial work was targeted for ovs back then and only needed on ingress, and the mirred action module also restricts it to only that. However, given it's an API contract it would still make sense to make this consistent to sch_handle_ingress and handle it on egress side in the same way, that is, setting return code to "success" and returning NULL back to the caller as otherwise an action module sitting on egress returning TC_ACT_CONSUMED could lead to an UAF when untreated. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Simon Horman <horms@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/core/dev.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/core/dev.c b/net/core/dev.c
index 9f6ed6d97f89..ccff2b6ef958 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -4062,6 +4062,8 @@ egress_verdict:
case TC_ACT_QUEUED:
case TC_ACT_TRAP:
consume_skb(skb);
+ fallthrough;
+ case TC_ACT_CONSUMED:
*ret = NET_XMIT_SUCCESS;
return NULL;
}