|
|
9f135a |
From 5eb3f07aa8bc9ba0b988a8d5f6a72318235074f7 Mon Sep 17 00:00:00 2001
|
|
|
9f135a |
From: Jamal Hadi Salim <jhs@mojatatu.com>
|
|
|
9f135a |
Date: Sun, 1 Jan 2023 16:57:43 -0500
|
|
|
9f135a |
Subject: [PATCH 1/2] net: sched: atm: dont intepret cls results when asked to
|
|
|
9f135a |
drop
|
|
|
9f135a |
Git-commit: a2965c7be0522eaa18808684b7b82b248515511b
|
|
Michal Koutný |
03cf48 |
References: bsc#1207036 CVE-2023-23454 bsc#1207125 CVE-2023-23455
|
|
|
9f135a |
Patch-mainline: v6.2-rc3
|
|
|
9f135a |
|
|
|
9f135a |
If asked to drop a packet via TC_ACT_SHOT it is unsafe to assume
|
|
|
9f135a |
res.class contains a valid pointer
|
|
|
9f135a |
Fixes: b0188d4dbe5f ("[NET_SCHED]: sch_atm: Lindent")
|
|
|
9f135a |
|
|
|
9f135a |
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
|
|
|
9f135a |
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
|
9f135a |
Signed-off-by: Denis Kirjanov <denis.kirjanov@suse.com>
|
|
|
9f135a |
---
|
|
|
9f135a |
net/sched/sch_atm.c | 5 ++++-
|
|
|
9f135a |
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
9f135a |
|
|
|
9f135a |
diff --git a/net/sched/sch_atm.c b/net/sched/sch_atm.c
|
|
|
9f135a |
index c5fd6366f309..9b255f13f2af 100644
|
|
|
9f135a |
--- a/net/sched/sch_atm.c
|
|
|
9f135a |
+++ b/net/sched/sch_atm.c
|
|
|
9f135a |
@@ -386,10 +386,13 @@ static int atm_tc_enqueue(struct sk_buff *skb, struct Qdisc *sch,
|
|
|
9f135a |
result = tcf_classify(skb, fl, &res, true);
|
|
|
9f135a |
if (result < 0)
|
|
|
9f135a |
continue;
|
|
|
9f135a |
+ if (result == TC_ACT_SHOT)
|
|
|
9f135a |
+ goto done;
|
|
|
9f135a |
+
|
|
|
9f135a |
flow = (struct atm_flow_data *)res.class;
|
|
|
9f135a |
if (!flow)
|
|
|
9f135a |
flow = lookup_flow(sch, res.classid);
|
|
|
9f135a |
- goto done;
|
|
|
9f135a |
+ goto drop;
|
|
|
9f135a |
}
|
|
|
9f135a |
}
|
|
|
9f135a |
flow = NULL;
|
|
|
9f135a |
--
|
|
|
9f135a |
2.16.4
|
|
|
9f135a |
|