From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 24B60125CB for ; Mon, 24 Jul 2023 23:02:15 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 59E32C433C8; Mon, 24 Jul 2023 23:02:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1690239735; bh=hI0FdL79ONz1aw2g1iC99scsQbNuHJWqIktK0q9d2t0=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=b3Hg0PnxsGfHyDxuZnH9oVhSo/fPlHoGpUlKPIo/KKCaqq9MmtD+6Wwx1991G8LX8 fuPPoGWgcdApm3IY2/O19ElLmY3AudPAU0ErbNqhTY2mm5bPklUkMzbywOSKKDkvxr LUqDUQwAG5UEgQJZ3QCBaBai3U9nEaQZ1YO37cIBsbYmjX2tQDB0UyReM5GDBqAq5r oxol7DOgGyoRZVg2we88v/XRosM4QfAnMXE1rgeyqPXmPBrSia3VpfXSXS3AX43F7E idGRIi3yBoXdwqvAmRrpJsI+Z3Qv641aAP3UKXQ/6DvEm1mbsfVHq/r4re7u3QHojp 5R0xPh7TVAyPA== Date: Mon, 24 Jul 2023 16:02:14 -0700 From: Jakub Kicinski To: Lin Ma Cc: jhs@mojatatu.com, xiyou.wangcong@gmail.com, jiri@resnulli.us, davem@davemloft.net, edumazet@google.com, pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] net/sched: mqprio: Add length check for TCA_MQPRIO_{MAX/MIN}_RATE64 Message-ID: <20230724160214.424573ac@kernel.org> In-Reply-To: <20230724014625.4087030-1-linma@zju.edu.cn> References: <20230724014625.4087030-1-linma@zju.edu.cn> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Mon, 24 Jul 2023 09:46:25 +0800 Lin Ma wrote: > The nla_for_each_nested parsing in function mqprio_parse_nlattr() does > not check the length of the nested attribute. This can lead to an > out-of-attribute read and allow a malformed nlattr (e.g., length 0) to > be viewed as 8 byte integer and passed to priv->max_rate/min_rate. > > This patch adds the check based on nla_len() when check the nla_type(), > which ensures that the length of these two attribute must equals > sizeof(u64). How do you run get_maintainer? You didn't CC the author of the code.