From patchwork Sun Nov 27 15:58:15 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amir Vadai X-Patchwork-Id: 699705 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3tRZH02TFtz9t2T for ; Mon, 28 Nov 2016 02:58:36 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752675AbcK0P63 (ORCPT ); Sun, 27 Nov 2016 10:58:29 -0500 Received: from mail-wm0-f68.google.com ([74.125.82.68]:36589 "EHLO mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752362AbcK0P61 (ORCPT ); Sun, 27 Nov 2016 10:58:27 -0500 Received: by mail-wm0-f68.google.com with SMTP id m203so15081067wma.3 for ; Sun, 27 Nov 2016 07:58:26 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=g1/MpbNB5IaC93W57O72cLIiO4oqIh5T8iFcwtcBjSI=; b=HMHaX/mhU7fTo+vWos8U66O1o7HZTl5TGNI8zNMqBykftq4zg6oL2wv5tsGzMKQfeV 3NZvzbYaHc7B5XeSKofTJhR5c2zlEUcG2iDWwRbWQIUTQ14sLT3ZNN1X0rqgfvueqCkl 72hEcBLEdrNi2YiMdyWUfF/566ygz5GhxgETx3PmlKJoJhtjNXEqrow1WGd/HaKwr4Pb n/l2Cfsb11JWlmoieGawx98TLNTbJXb7Atn9arUlRm5RRGAwm7O2Yr3lLCzQ1QuR5ITc qmEX1KI9rYlQQjWI4ZLwTpXw+1WkaZsF4RkThlgIVcNIYvjscn2ep061RFn3tJWHyYS9 5l0w== X-Gm-Message-State: AKaTC03udZ8uvsCgb+T8CuUJLdwJWcCQ6JVjTaLYHUsH/aD9cFEd0NB+MGXKh+sptftQ1w== X-Received: by 10.28.69.17 with SMTP id s17mr16032554wma.141.1480262305535; Sun, 27 Nov 2016 07:58:25 -0800 (PST) Received: from office.vadai.me ([192.116.94.213]) by smtp.gmail.com with ESMTPSA id g184sm24283839wme.23.2016.11.27.07.58.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 27 Nov 2016 07:58:24 -0800 (PST) From: Amir Vadai To: "David S. Miller" Cc: netdev@vger.kernel.org, Jamal Hadi Salim , Or Gerlitz , Hadar Har-Zion , Jiri Pirko , Amir Vadai Subject: [PATCH net] net/sched: act_pedit: limit negative offset Date: Sun, 27 Nov 2016 17:58:15 +0200 Message-Id: <20161127155815.10359-1-amir@vadai.me> X-Mailer: git-send-email 2.10.2 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Should not allow setting a negative offset that goes below the skb head. Signed-off-by: Amir Vadai --- Hi Dave, Please pull to -stable branches. Thanks, Amir net/sched/act_pedit.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c index b54d56d4959b..e79e8a88f2d2 100644 --- a/net/sched/act_pedit.c +++ b/net/sched/act_pedit.c @@ -154,8 +154,11 @@ static int tcf_pedit(struct sk_buff *skb, const struct tc_action *a, } ptr = skb_header_pointer(skb, off + offset, 4, &_data); - if (!ptr) + if ((unsigned char *)ptr < skb->head) { + pr_info("tc filter pedit offset out of bounds\n"); goto bad; + } + /* just do it, baby */ *ptr = ((*ptr & tkey->mask) ^ tkey->val); if (ptr == &_data)