From patchwork Mon Nov 28 10:56:40 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amir Vadai <amir@vadai.me>
X-Patchwork-Id: 699930
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3tS3Yb5FKDz9t2C
	for <patchwork-incoming@ozlabs.org>;
	Mon, 28 Nov 2016 21:57:55 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932538AbcK1K5s (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Mon, 28 Nov 2016 05:57:48 -0500
Received: from mail-wj0-f196.google.com ([209.85.210.196]:33799 "EHLO
	mail-wj0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932105AbcK1K5q (ORCPT
	<rfc822;netdev@vger.kernel.org>); Mon, 28 Nov 2016 05:57:46 -0500
Received: by mail-wj0-f196.google.com with SMTP id xy5so13545596wjc.1
	for <netdev@vger.kernel.org>; Mon, 28 Nov 2016 02:57:45 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=ncecOI6IMye271c5+eUDJs1c9hZBv7AsNU/LxI+aXTk=;
	b=FdZBVeSKIQcXTg6CzOEbztHs3hbpYCivxiz1PT2rK9079rgKYeVfMdBKhtRcmcFR9X
	b9tvb16L7L6mPbrGhaPUfdZeXwMnotut2Obm90JYdWfBszlGwr99YaEv8GrZCYumAdTa
	Gsc1RbPhgqXyjpA7au1wSLZBBwYTxnFDHfmIkX6oXKD+iS5r91riEsmO5EJyxw6ze1gv
	EKtCL+jSN4yzy0iT28CyLr2+Ny6EgTaE+3hxaprXzFlckL7lX5gCE7AgoJQLkVEkWgDk
	bCP3V0qvGBrSY0rxdADkK0lp5/OQJsviyzGQqMj0v35ozG+87+h8u2WENWNxLJ+hi1mq
	CEmQ==
X-Gm-Message-State: 
 AKaTC02c5zLqPKAWnQ+PI/EcJPFQnRFrhMNK9o/Fzz9KQSQfEHtvyHHmVmlKtRoM5nWqwg==
X-Received: by 10.194.52.8 with SMTP id p8mr18066860wjo.38.1480330664222;
	Mon, 28 Nov 2016 02:57:44 -0800 (PST)
Received: from office.vadai.me ([192.116.94.216])
	by smtp.gmail.com with ESMTPSA id
	f126sm28154065wme.22.2016.11.28.02.57.41
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 28 Nov 2016 02:57:43 -0800 (PST)
From: Amir Vadai <amir@vadai.me>
To: "David S. Miller" <davem@davemloft.net>
Cc: netdev@vger.kernel.org, Cong Wang <xiyou.wangcong@gmail.com>,
	Jamal Hadi Salim <jhs@mojatatu.com>, Or Gerlitz <ogerlitz@mellanox.com>,
	Hadar Har-Zion <hadarh@mellanox.com>,
	Jiri Pirko <jiri@mellanox.com>, Amir Vadai <amir@vadai.me>
Subject: [PATCH net V2] net/sched: pedit: make sure that offset is valid
Date: Mon, 28 Nov 2016 12:56:40 +0200
Message-Id: <20161128105640.32363-1-amir@vadai.me>
X-Mailer: git-send-email 2.10.2
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Add a validation function to make sure offset is valid:
1. Not below skb head (could happen when offset is negative).
2. Validate both 'offset' and 'at'.

Signed-off-by: Amir Vadai <amir@vadai.me>
---
Hi Dave,

Please pull to -stable branches.

Changes from V0:
- Add a validation to the 'at' value (this is used as an offset too)
- Instead of validating the output of skb_header_pointer(), make sure that the
	offset is good before calling it.

Thanks,
Amir
 net/sched/act_pedit.c | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index b54d56d4959b..cf9b2fe8eac6 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -108,6 +108,17 @@ static void tcf_pedit_cleanup(struct tc_action *a, int bind)
 	kfree(keys);
 }
 
+static bool offset_valid(struct sk_buff *skb, int offset)
+{
+	if (offset > 0 && offset > skb->len)
+		return false;
+
+	if  (offset < 0 && -offset > skb_headroom(skb))
+		return false;
+
+	return true;
+}
+
 static int tcf_pedit(struct sk_buff *skb, const struct tc_action *a,
 		     struct tcf_result *res)
 {
@@ -134,6 +145,11 @@ static int tcf_pedit(struct sk_buff *skb, const struct tc_action *a,
 			if (tkey->offmask) {
 				char *d, _d;
 
+				if (!offset_valid(skb, off + tkey->at)) {
+					pr_info("tc filter pedit 'at' offset %d out of bounds\n",
+						off + tkey->at);
+					goto bad;
+				}
 				d = skb_header_pointer(skb, off + tkey->at, 1,
 						       &_d);
 				if (!d)
@@ -146,10 +162,10 @@ static int tcf_pedit(struct sk_buff *skb, const struct tc_action *a,
 					" offset must be on 32 bit boundaries\n");
 				goto bad;
 			}
-			if (offset > 0 && offset > skb->len) {
-				pr_info("tc filter pedit"
-					" offset %d can't exceed pkt length %d\n",
-				       offset, skb->len);
+
+			if (!offset_valid(skb, off + offset)) {
+				pr_info("tc filter pedit offset %d out of bounds\n",
+					offset);
 				goto bad;
 			}