• Cong Wang's avatar
    net_sched: fix datalen for ematch · 66ac8ee9
    Cong Wang authored
    [ Upstream commit 61678d28 ]
    
    syzbot reported an out-of-bound access in em_nbyte. As initially
    analyzed by Eric, this is because em_nbyte sets its own em->datalen
    in em_nbyte_change() other than the one specified by user, but this
    value gets overwritten later by its caller tcf_em_validate().
    We should leave em->datalen untouched to respect their choices.
    
    I audit all the in-tree ematch users, all of those implement
    ->change() set em->datalen, so we can just avoid setting it twice
    in this case.
    
    Reported-and-tested-by: syzbot+5af9a90dad568aa9f611@syzkaller.appspotmail.com
    Reported-by: syzbot+2f07903a5b05e7f36410@syzkaller.appspotmail.com
    Fixes: 1da177e4 ("Linux-2.6.12-rc2")
    Cc: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
    Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    66ac8ee9
ematch.c 14.6 KB