Skip to content

Commit 5e9a0fe

Browse files
jialiu02davem330
jialiu02
authored and
davem330
committed
net/sched: flower: Fix null pointer dereference when run tc vlan command
Zahari issued tc vlan command without setting vlan_ethtype, which will crash kernel. To avoid this, we must check tb[TCA_FLOWER_KEY_VLAN_ETH_TYPE] is not null before use it. Also we don't need to dump vlan_ethtype or cvlan_ethtype in this case. Fixes: d64efd0 ('net/sched: flower: Add supprt for matching on QinQ vlan headers') Signed-off-by: Jianbo Liu <jianbol@mellanox.com> Reported-by: Zahari Doychev <zahari.doychev@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent db560d1 commit 5e9a0fe

File tree

1 file changed

+26
-22
lines changed

1 file changed

+26
-22
lines changed

net/sched/cls_flower.c

Lines changed: 26 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -605,20 +605,22 @@ static int fl_set_key(struct net *net, struct nlattr **tb,
605605
TCA_FLOWER_KEY_VLAN_PRIO, &key->vlan,
606606
&mask->vlan);
607607

608-
ethertype = nla_get_be16(tb[TCA_FLOWER_KEY_VLAN_ETH_TYPE]);
609-
if (eth_type_vlan(ethertype)) {
610-
fl_set_key_vlan(tb, ethertype,
611-
TCA_FLOWER_KEY_CVLAN_ID,
612-
TCA_FLOWER_KEY_CVLAN_PRIO,
613-
&key->cvlan, &mask->cvlan);
614-
fl_set_key_val(tb, &key->basic.n_proto,
615-
TCA_FLOWER_KEY_CVLAN_ETH_TYPE,
616-
&mask->basic.n_proto,
617-
TCA_FLOWER_UNSPEC,
618-
sizeof(key->basic.n_proto));
619-
} else {
620-
key->basic.n_proto = ethertype;
621-
mask->basic.n_proto = cpu_to_be16(~0);
608+
if (tb[TCA_FLOWER_KEY_VLAN_ETH_TYPE]) {
609+
ethertype = nla_get_be16(tb[TCA_FLOWER_KEY_VLAN_ETH_TYPE]);
610+
if (eth_type_vlan(ethertype)) {
611+
fl_set_key_vlan(tb, ethertype,
612+
TCA_FLOWER_KEY_CVLAN_ID,
613+
TCA_FLOWER_KEY_CVLAN_PRIO,
614+
&key->cvlan, &mask->cvlan);
615+
fl_set_key_val(tb, &key->basic.n_proto,
616+
TCA_FLOWER_KEY_CVLAN_ETH_TYPE,
617+
&mask->basic.n_proto,
618+
TCA_FLOWER_UNSPEC,
619+
sizeof(key->basic.n_proto));
620+
} else {
621+
key->basic.n_proto = ethertype;
622+
mask->basic.n_proto = cpu_to_be16(~0);
623+
}
622624
}
623625
} else {
624626
key->basic.n_proto = ethertype;
@@ -1344,14 +1346,16 @@ static int fl_dump(struct net *net, struct tcf_proto *tp, void *fh,
13441346
key->cvlan.vlan_tpid)))
13451347
goto nla_put_failure;
13461348

1347-
if (mask->cvlan.vlan_tpid) {
1348-
if (nla_put_be16(skb, TCA_FLOWER_KEY_CVLAN_ETH_TYPE,
1349-
key->basic.n_proto))
1350-
goto nla_put_failure;
1351-
} else if (mask->vlan.vlan_tpid) {
1352-
if (nla_put_be16(skb, TCA_FLOWER_KEY_VLAN_ETH_TYPE,
1353-
key->basic.n_proto))
1354-
goto nla_put_failure;
1349+
if (mask->basic.n_proto) {
1350+
if (mask->cvlan.vlan_tpid) {
1351+
if (nla_put_be16(skb, TCA_FLOWER_KEY_CVLAN_ETH_TYPE,
1352+
key->basic.n_proto))
1353+
goto nla_put_failure;
1354+
} else if (mask->vlan.vlan_tpid) {
1355+
if (nla_put_be16(skb, TCA_FLOWER_KEY_VLAN_ETH_TYPE,
1356+
key->basic.n_proto))
1357+
goto nla_put_failure;
1358+
}
13551359
}
13561360

13571361
if ((key->basic.n_proto == htons(ETH_P_IP) ||

0 commit comments

Comments
 (0)