• Wolfgang Bumiller's avatar
    net sched actions: allocate act cookie early · e0535ce5
    Wolfgang Bumiller authored
    Policing filters do not use the TCA_ACT_* enum and the tb[]
    nlattr array in tcf_action_init_1() doesn't get filled for
    them so we should not try to look for a TCA_ACT_COOKIE
    attribute in the then uninitialized array.
    The error handling in cookie allocation then calls
    tcf_hash_release() leading to invalid memory access later
    on.
    Additionally, if cookie allocation fails after an already
    existing non-policing filter has successfully been changed,
    tcf_action_release() should not be called, also we would
    have to roll back the changes in the error handling, so
    instead we now allocate the cookie early and assign it on
    success at the end.
    
    CVE-2017-7979
    Fixes: 1045ba77 ("net sched actions: Add support for user cookies")
    Signed-off-by: default avatarWolfgang Bumiller <w.bumiller@proxmox.com>
    Acked-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    e0535ce5
act_api.c 24.6 KB