* [PATCH net 1/1] net: atm: reject out-of-range traffic classes in QoS validation [not found] <cover.1780965530.git.zcliangcn@gmail.com> @ 2026-06-09 8:34 ` Ren Wei 2026-06-11 16:37 ` Simon Horman 0 siblings, 1 reply; 2+ messages in thread From: Ren Wei @ 2026-06-09 8:34 UTC (permalink / raw) To: linux-atm-general, netdev; +Cc: 3chas3, yuantan098, bird, zcliangcn, n05ec From: Zhengchuan Liang <zcliangcn@gmail.com> Reject ATM traffic classes above ATM_ANYCLASS in check_tp(). SO_ATMQOS stores the supplied QoS after check_qos() succeeds, so accepting larger values leaves invalid traffic_class values in vcc->qos. That bad state later reaches pvc_info(), which indexes class_name[] with vcc->qos.{rx,tp}.traffic_class. Values above ATM_ANYCLASS cause an out-of-bounds read when /proc/net/atm/pvc is read. Tighten the existing QoS validation so invalid traffic_class values are rejected at the point where user supplied QoS is accepted. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Assisted-by: Codex:GPT-5.4 Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> --- net/atm/common.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/atm/common.c b/net/atm/common.c index fe77f51f6ce1..6eb78c34c284 100644 --- a/net/atm/common.c +++ b/net/atm/common.c @@ -720,6 +720,8 @@ static int atm_change_qos(struct atm_vcc *vcc, struct atm_qos *qos) static int check_tp(const struct atm_trafprm *tp) { /* @@@ Should be merged with adjust_tp */ + if (tp->traffic_class > ATM_ANYCLASS) + return -EINVAL; if (!tp->traffic_class || tp->traffic_class == ATM_ANYCLASS) return 0; if (tp->traffic_class != ATM_UBR && !tp->min_pcr && !tp->pcr && -- 2.47.3 ^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net 1/1] net: atm: reject out-of-range traffic classes in QoS validation 2026-06-09 8:34 ` [PATCH net 1/1] net: atm: reject out-of-range traffic classes in QoS validation Ren Wei @ 2026-06-11 16:37 ` Simon Horman 0 siblings, 0 replies; 2+ messages in thread From: Simon Horman @ 2026-06-11 16:37 UTC (permalink / raw) To: Ren Wei; +Cc: linux-atm-general, netdev, 3chas3, yuantan098, bird, zcliangcn On Tue, Jun 09, 2026 at 04:34:37PM +0800, Ren Wei wrote: > From: Zhengchuan Liang <zcliangcn@gmail.com> > > Reject ATM traffic classes above ATM_ANYCLASS in check_tp(). > SO_ATMQOS stores the supplied QoS after check_qos() succeeds, so > accepting larger values leaves invalid traffic_class values in > vcc->qos. > > That bad state later reaches pvc_info(), which indexes class_name[] > with vcc->qos.{rx,tp}.traffic_class. Values above ATM_ANYCLASS cause > an out-of-bounds read when /proc/net/atm/pvc is read. > > Tighten the existing QoS validation so invalid traffic_class values > are rejected at the point where user supplied QoS is accepted. > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Cc: stable@vger.kernel.org > Reported-by: Yuan Tan <yuantan098@gmail.com> > Reported-by: Xin Liu <bird@lzu.edu.cn> > Assisted-by: Codex:GPT-5.4 > Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com> > Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Reviewed-by: Simon Horman <horms@kernel.org> I believe the issue flagged by AI-generated review on https://netdev-ai.bots.linux.dev/sashiko/ is a false positive. ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-11 16:37 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <cover.1780965530.git.zcliangcn@gmail.com>
2026-06-09 8:34 ` [PATCH net 1/1] net: atm: reject out-of-range traffic classes in QoS validation Ren Wei
2026-06-11 16:37 ` Simon Horman
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox