From c03072dea1c0fc5d66e48692cd8be13443327a29 Mon Sep 17 00:00:00 2001

From: Jamal Hadi Salim <jhs@mojatatu.com>

Date: Sun, 1 Jan 2023 16:57:43 -0500

Subject: [PATCH 2/2] net: sched: atm: dont intepret cls results when asked to

 drop

Git-commit: a2965c7be0522eaa18808684b7b82b248515511b

References: bsc#1207125 CVE-2023-23455

Patch-mainline: v6.2-rc3

If asked to drop a packet via TC_ACT_SHOT it is unsafe to assume

res.class contains a valid pointer

Fixes: b0188d4dbe5f ("[NET_SCHED]: sch_atm: Lindent")

Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>

Signed-off-by: David S. Miller <davem@davemloft.net>

Signed-off-by: Denis Kirjanov <denis.kirjanov@suse.com>

---

 net/sched/sch_atm.c | 5 ++++-

 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/sched/sch_atm.c b/net/sched/sch_atm.c

index 6385995dc700..34dd0434d99d 100644

--- a/net/sched/sch_atm.c

+++ b/net/sched/sch_atm.c

@@ -396,10 +396,13 @@ static int atm_tc_enqueue(struct sk_buff *skb, struct Qdisc *sch,

 				result = tcf_classify(skb, fl, &res, true);

 				if (result < 0)

 					continue;

+				if (result == TC_ACT_SHOT)

+					goto done;

+

 				flow = (struct atm_flow_data *)res.class;

 				if (!flow)

 					flow = lookup_flow(sch, res.classid);

-				goto done;

+				goto drop;

 			}

 		}

 		flow = NULL;

-- 

2.16.4