Commit cbd37556 authored by stephen hemminger's avatar stephen hemminger Committed by David S. Miller

htb: fix sign extension bug

When userspace passes a large priority value
the assignment of the unsigned value hopt->prio
to  signed int cl->prio causes cl->prio to become negative and the
comparison is with TC_HTB_NUMPRIO is always false.

The result is that HTB crashes by referencing outside
the array when processing packets. With this patch the large value
wraps around like other values outside the normal range.

See: https://bugzilla.kernel.org/show_bug.cgi?id=60669Signed-off-by: default avatarStephen Hemminger <stephen@networkplumber.org>
Acked-by: default avatarEric Dumazet <edumazet@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 78738141
...@@ -100,7 +100,7 @@ struct htb_class { ...@@ -100,7 +100,7 @@ struct htb_class {
struct psched_ratecfg ceil; struct psched_ratecfg ceil;
s64 buffer, cbuffer;/* token bucket depth/rate */ s64 buffer, cbuffer;/* token bucket depth/rate */
s64 mbuffer; /* max wait time */ s64 mbuffer; /* max wait time */
int prio; /* these two are used only by leaves... */ u32 prio; /* these two are used only by leaves... */
int quantum; /* but stored for parent-to-leaf return */ int quantum; /* but stored for parent-to-leaf return */
struct tcf_proto *filter_list; /* class attached filters */ struct tcf_proto *filter_list; /* class attached filters */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment