git.baikalelectronics.ru Git - kernel.git/commit

author	Wolfgang Bumiller <w.bumiller@proxmox.com>
	Thu, 20 Apr 2017 12:08:26 +0000 (14:08 +0200)
committer	David S. Miller <davem@davemloft.net>
	Thu, 20 Apr 2017 20:32:07 +0000 (16:32 -0400)
commit	46894e42a63f232a430d23d9e1ea2098c03a85f8
tree	09149bb2d06e45a11b06bed0ce7c4afb453490a8	tree \| snapshot
parent	0eb0947d8113ab75af05ee639eebb2e9ad53edcd	commit \| diff

net sched actions: allocate act cookie early

Policing filters do not use the TCA_ACT_* enum and the tb[]
nlattr array in tcf_action_init_1() doesn't get filled for
them so we should not try to look for a TCA_ACT_COOKIE
attribute in the then uninitialized array.
The error handling in cookie allocation then calls
tcf_hash_release() leading to invalid memory access later
on.
Additionally, if cookie allocation fails after an already
existing non-policing filter has successfully been changed,
tcf_action_release() should not be called, also we would
have to roll back the changes in the error handling, so
instead we now allocate the cookie early and assign it on
success at the end.

CVE-2017-7979
Fixes: efc35c42a663 ("net sched actions: Add support for user cookies")
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>