* [PATCH net v2] net/sched: act_mpls: ensure LSE is pullable before reading it
@ 2020-12-03 9:37 Davide Caratti
2020-12-03 18:15 ` Guillaume Nault
2020-12-03 19:20 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 3+ messages in thread
From: Davide Caratti @ 2020-12-03 9:37 UTC (permalink / raw)
To: jhs, jiri, Cong Wang, kuba, netdev; +Cc: gnault, marcelo.leitner, John Hurley
when 'act_mpls' is used to mangle the LSE, the current value is read from
the packet dereferencing 4 bytes at mpls_hdr(): ensure that the label is
contained in the skb "linear" area.
Found by code inspection.
v2:
- use MPLS_HLEN instead of sizeof(new_lse), thanks to Jakub Kicinski
Fixes: 2a2ea50870ba ("net: sched: add mpls manipulation actions to TC")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
---
net/sched/act_mpls.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/sched/act_mpls.c b/net/sched/act_mpls.c
index 5c7456e5b5cf..d1486ea496a2 100644
--- a/net/sched/act_mpls.c
+++ b/net/sched/act_mpls.c
@@ -105,6 +105,9 @@ static int tcf_mpls_act(struct sk_buff *skb, const struct tc_action *a,
goto drop;
break;
case TCA_MPLS_ACT_MODIFY:
+ if (!pskb_may_pull(skb,
+ skb_network_offset(skb) + MPLS_HLEN))
+ goto drop;
new_lse = tcf_mpls_get_lse(mpls_hdr(skb), p, false);
if (skb_mpls_update_lse(skb, new_lse))
goto drop;
--
2.28.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net v2] net/sched: act_mpls: ensure LSE is pullable before reading it
2020-12-03 9:37 [PATCH net v2] net/sched: act_mpls: ensure LSE is pullable before reading it Davide Caratti
@ 2020-12-03 18:15 ` Guillaume Nault
2020-12-03 19:20 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: Guillaume Nault @ 2020-12-03 18:15 UTC (permalink / raw)
To: Davide Caratti
Cc: jhs, jiri, Cong Wang, kuba, netdev, marcelo.leitner, John Hurley
On Thu, Dec 03, 2020 at 10:37:52AM +0100, Davide Caratti wrote:
> when 'act_mpls' is used to mangle the LSE, the current value is read from
> the packet dereferencing 4 bytes at mpls_hdr(): ensure that the label is
> contained in the skb "linear" area.
Acked-by: Guillaume Nault <gnault@redhat.com>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net v2] net/sched: act_mpls: ensure LSE is pullable before reading it
2020-12-03 9:37 [PATCH net v2] net/sched: act_mpls: ensure LSE is pullable before reading it Davide Caratti
2020-12-03 18:15 ` Guillaume Nault
@ 2020-12-03 19:20 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2020-12-03 19:20 UTC (permalink / raw)
To: Davide Caratti
Cc: jhs, jiri, xiyou.wangcong, kuba, netdev, gnault, marcelo.leitner,
john.hurley
Hello:
This patch was applied to netdev/net.git (refs/heads/master):
On Thu, 3 Dec 2020 10:37:52 +0100 you wrote:
> when 'act_mpls' is used to mangle the LSE, the current value is read from
> the packet dereferencing 4 bytes at mpls_hdr(): ensure that the label is
> contained in the skb "linear" area.
>
> Found by code inspection.
>
> v2:
> - use MPLS_HLEN instead of sizeof(new_lse), thanks to Jakub Kicinski
>
> [...]
Here is the summary with links:
- [net,v2] net/sched: act_mpls: ensure LSE is pullable before reading it
https://git.kernel.org/netdev/net/c/9608fa653059
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-12-03 19:21 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-12-03 9:37 [PATCH net v2] net/sched: act_mpls: ensure LSE is pullable before reading it Davide Caratti
2020-12-03 18:15 ` Guillaume Nault
2020-12-03 19:20 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).