git.baikalelectronics.ru Git - kernel.git/commit

author	Wolfgang Bumiller <w.bumiller@proxmox.com>
	Thu, 20 Apr 2017 12:08:26 +0000 (14:08 +0200)
committer	David S. Miller <davem@davemloft.net>
	Thu, 20 Apr 2017 20:32:07 +0000 (16:32 -0400)
commit	fa25d6c2e9396153ec6a6fd550ba0d14c3c0009a
tree	09149bb2d06e45a11b06bed0ce7c4afb453490a8	tree \| snapshot
parent	61f805a1385fe08d7a8849c96b5b62d0aa1cd0fd	commit \| diff

net sched actions: allocate act cookie early

Policing filters do not use the TCA_ACT_* enum and the tb[]
nlattr array in tcf_action_init_1() doesn't get filled for
them so we should not try to look for a TCA_ACT_COOKIE
attribute in the then uninitialized array.
The error handling in cookie allocation then calls
tcf_hash_release() leading to invalid memory access later
on.
Additionally, if cookie allocation fails after an already
existing non-policing filter has successfully been changed,
tcf_action_release() should not be called, also we would
have to roll back the changes in the error handling, so
instead we now allocate the cookie early and assign it on
success at the end.

CVE-2017-7979
Fixes: b51344c6f108 ("net sched actions: Add support for user cookies")
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>