Received: by 10.192.165.148 with SMTP id m20csp440255imm; Fri, 4 May 2018 00:05:47 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpJtmj83/62hTg48eBj1t8Tl8xXOWNZJcLthffStwvcOkUuxQihc+5VSeCBPtQ1wZHHrYSL X-Received: by 10.98.232.1 with SMTP id c1mr25820535pfi.184.1525417547824; Fri, 04 May 2018 00:05:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525417547; cv=none; d=google.com; s=arc-20160816; b=fVn2SPNTMx7riH3wuNjh4jCOol7cZoxNDNpKGz+kxehjV2qMLQcpFKTZSyQfIDkRBJ Hep5k5USMzJJNkl8n5OgnHqyyioORf+GWifOZaHKhV2x0axsc3auuT5tP2DfQ7xi2St2 TMoALswxEoKjRToc6zpUksodCVtrkUhClhMg3qlmNiJvmI8EOP50j9hxFYcUnLOiz10x m+ySn31CRthAFf6r047h/HgbhXchzmsO8LhHBDfWE1MVzGOjrrHnyPGz6wgzu6Ul3tQ7 TRSnmt3MpYapeityp4V4RbT0S/f7kX5ES0ysKK8AqdBH0umqGvNeFXRweMKfwnKLBcLb gH5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=aqLxqtjQY5quUA/MR19xeIjsmryRK/yu7b+i1tE7eh8=; b=s8pQwU7n7oOL9H2T+ICCkqcekrLSYq7p+89gHhA4QclcC1KvyB0ZNILQC4V190LEJk rmRapdVXKwTqDNr4Wg8OgAh2u/LIkiLWkdU7Vz8Ag3GP+ec0LlcQ+EgJVoP2nlhdVF4E maFnFqTFJ4M868IJ5VMfXqI8DantRk+acny9QpaQ6kwDMR0wd7xy4bmONvNl4KxDNVHp VFORJepeCyxahCFOwyTb0qNRLuanvelxJDQwwrPPvEEVgtuqJP0Fgt+jMuxL/keaEF+u G0zjoaJUk4CJkdB7cpeW6T3LZjrxsIjANv04jXmsfAzs8x87LS5KARYhTJ7peGy2fdn/ cQeg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=RGdVEjt+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a12si1334543pfe.367.2018.05.04.00.05.33; Fri, 04 May 2018 00:05:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=RGdVEjt+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751445AbeEDHFT (ORCPT + 99 others); Fri, 4 May 2018 03:05:19 -0400 Received: from mta-p8.oit.umn.edu ([134.84.196.208]:45284 "EHLO mta-p8.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751412AbeEDHFR (ORCPT ); Fri, 4 May 2018 03:05:17 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p8.oit.umn.edu (Postfix) with ESMTP id 67A72911 for ; Fri, 4 May 2018 07:05:16 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p8.oit.umn.edu ([127.0.0.1]) by localhost (mta-p8.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WhMlAN23s_XW for ; Fri, 4 May 2018 02:05:16 -0500 (CDT) Received: from mail-io0-f197.google.com (mail-io0-f197.google.com [209.85.223.197]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p8.oit.umn.edu (Postfix) with ESMTPS id 41813817 for ; Fri, 4 May 2018 02:05:16 -0500 (CDT) Received: by mail-io0-f197.google.com with SMTP id c10-v6so19300988iob.11 for ; Fri, 04 May 2018 00:05:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=aqLxqtjQY5quUA/MR19xeIjsmryRK/yu7b+i1tE7eh8=; b=RGdVEjt+uJyfIhFNTZCTKvqnYr6JZ1XXX4Hz0+U+viWmVmQVNiigB7+GGZ+2xIRcDX 5fPZg8UjSICldgvx7UyqqUPjpI71GZBhgeX1C8zI8LnxOytggC3mBwIDhgc4MUn94xW5 WtZg59ihnrWuvrxEVlzVlpoVv2D++00j/yvVh2fTkqiVJnZfat5OG8OnkPHxGFR4Pytj OVozxG1MQbKkj64HPSdJYMOW6ihbevs2UL4nSCJsheo1dpaCXUC4A/rOZrQKgmvZIBJ+ XixiNZkhT9D93XjsMqE5M94lxsP6IdLHdW+O3X6XFCMmKKySllglZhYwfGlQQvPa3ovK +N+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=aqLxqtjQY5quUA/MR19xeIjsmryRK/yu7b+i1tE7eh8=; b=jf1zidpBbNab+O3kFdxd7QBHlndlgnqHZ//r+kxnyqFaUlz8S36jnfSPE7sOPUcVZx bhOl7JTjORrD+FpBisSLYOFxukyT5dciViafzY7fF48OUf7uLybFNM9oKOfxYyREt8y2 yVE+k9bM+9SMHhL6PBiEiAHLCMa673s8Q4+Z1hmVTpKe6QsOfN3Ed2OeDQWIyi+NT1Ow DR0ahXWErhBW2gkfGXPxWjneQ7O0PKvTYymrQ1c1whjiArJQ/uOaubhSXmJTCsK7xPom 3Eyi1R545+2ADmRWEhdoWmDLSyWU6+znRLbU5hX9rUES6c7zBDI07AznJru4uh+UYWZN oZLA== X-Gm-Message-State: ALQs6tC+dvfc69LNT8PAIzLpKRxoZ2wPId/XOeBCoVNzdOEXH5rak92z IzTij4Kg5BPknQ1RcguyixgAhLJooqWmcSSm0rU8NS4MRrY/C5ojWOhDQJbmbq7zsg4EzNG4/kv CeMW9Ink0RE/4HdJjY7Q9TJTqrmQg X-Received: by 2002:a24:d6c3:: with SMTP id o186-v6mr27165808itg.146.1525417515892; Fri, 04 May 2018 00:05:15 -0700 (PDT) X-Received: by 2002:a24:d6c3:: with SMTP id o186-v6mr27165799itg.146.1525417515741; Fri, 04 May 2018 00:05:15 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id x21-v6sm8085591iod.7.2018.05.04.00.05.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 04 May 2018 00:05:15 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Jamal Hadi Salim , Cong Wang , Jiri Pirko , "David S. Miller" , netdev@vger.kernel.org (open list:TC subsystem), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] net: sched: cls: fix a potential missing-check bug Date: Fri, 4 May 2018 02:05:05 -0500 Message-Id: <1525417505-19056-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In rsvp_change(), the value of f->res.classid is checked to be no more than 255. Otherwise, the execution will goto errout. This is enforced by a if-statement check. However, in the following execution, f->res.classid is assigned with a new value returned from gen_tunnel(), and the new value is only checked against 0. Given that gen_tunnel() may return a value larger than 255 based on data, the new value of f->res.classid should be re-checked. This patch adds a re-check to ensure the new value of f->res.classid is not great than 255; otherwise, an error code will be returned. Signed-off-by: Wenwen Wang --- net/sched/cls_rsvp.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/sched/cls_rsvp.h b/net/sched/cls_rsvp.h index 4f12976..7ced8fc 100644 --- a/net/sched/cls_rsvp.h +++ b/net/sched/cls_rsvp.h @@ -590,6 +590,9 @@ static int rsvp_change(struct net *net, struct sk_buff *in_skb, if (f->res.classid == 0 && (f->res.classid = gen_tunnel(data)) == 0) goto errout; + + if (f->res.classid > 255) + goto errout; } for (sp = &data->ht[h1]; -- 2.7.4