* [PATCH net 1/1] net: atm: reject out-of-range traffic classes in QoS validation
[not found] <cover.1780965530.git.zcliangcn@gmail.com>
@ 2026-06-09 8:34 ` Ren Wei
2026-06-11 16:37 ` Simon Horman
0 siblings, 1 reply; 2+ messages in thread
From: Ren Wei @ 2026-06-09 8:34 UTC (permalink / raw)
To: linux-atm-general, netdev; +Cc: 3chas3, yuantan098, bird, zcliangcn, n05ec
From: Zhengchuan Liang <zcliangcn@gmail.com>
Reject ATM traffic classes above ATM_ANYCLASS in check_tp().
SO_ATMQOS stores the supplied QoS after check_qos() succeeds, so
accepting larger values leaves invalid traffic_class values in
vcc->qos.
That bad state later reaches pvc_info(), which indexes class_name[]
with vcc->qos.{rx,tp}.traffic_class. Values above ATM_ANYCLASS cause
an out-of-bounds read when /proc/net/atm/pvc is read.
Tighten the existing QoS validation so invalid traffic_class values
are rejected at the point where user supplied QoS is accepted.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Assisted-by: Codex:GPT-5.4
Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
---
net/atm/common.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/atm/common.c b/net/atm/common.c
index fe77f51f6ce1..6eb78c34c284 100644
--- a/net/atm/common.c
+++ b/net/atm/common.c
@@ -720,6 +720,8 @@ static int atm_change_qos(struct atm_vcc *vcc, struct atm_qos *qos)
static int check_tp(const struct atm_trafprm *tp)
{
/* @@@ Should be merged with adjust_tp */
+ if (tp->traffic_class > ATM_ANYCLASS)
+ return -EINVAL;
if (!tp->traffic_class || tp->traffic_class == ATM_ANYCLASS)
return 0;
if (tp->traffic_class != ATM_UBR && !tp->min_pcr && !tp->pcr &&
--
2.47.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net 1/1] net: atm: reject out-of-range traffic classes in QoS validation
2026-06-09 8:34 ` [PATCH net 1/1] net: atm: reject out-of-range traffic classes in QoS validation Ren Wei
@ 2026-06-11 16:37 ` Simon Horman
0 siblings, 0 replies; 2+ messages in thread
From: Simon Horman @ 2026-06-11 16:37 UTC (permalink / raw)
To: Ren Wei; +Cc: linux-atm-general, netdev, 3chas3, yuantan098, bird, zcliangcn
On Tue, Jun 09, 2026 at 04:34:37PM +0800, Ren Wei wrote:
> From: Zhengchuan Liang <zcliangcn@gmail.com>
>
> Reject ATM traffic classes above ATM_ANYCLASS in check_tp().
> SO_ATMQOS stores the supplied QoS after check_qos() succeeds, so
> accepting larger values leaves invalid traffic_class values in
> vcc->qos.
>
> That bad state later reaches pvc_info(), which indexes class_name[]
> with vcc->qos.{rx,tp}.traffic_class. Values above ATM_ANYCLASS cause
> an out-of-bounds read when /proc/net/atm/pvc is read.
>
> Tighten the existing QoS validation so invalid traffic_class values
> are rejected at the point where user supplied QoS is accepted.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
> Reported-by: Yuan Tan <yuantan098@gmail.com>
> Reported-by: Xin Liu <bird@lzu.edu.cn>
> Assisted-by: Codex:GPT-5.4
> Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
I believe the issue flagged by AI-generated review on
https://netdev-ai.bots.linux.dev/sashiko/ is a false positive.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-11 16:37 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <cover.1780965530.git.zcliangcn@gmail.com>
2026-06-09 8:34 ` [PATCH net 1/1] net: atm: reject out-of-range traffic classes in QoS validation Ren Wei
2026-06-11 16:37 ` Simon Horman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox