net/sched: mqprio: Add length check for TCA_MQPRIO_{MAX/MIN}_RATE64
stable inclusion from stable-v5.10.190 commit f40f7a858b3b4b2efdc22b524426ea51a0c004fd category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I928UI Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f40f7a858b3b4b2efdc22b524426ea51a0c004fd -------------------------------- [ Upstream commit 6c58c881 ] The nla_for_each_nested parsing in function mqprio_parse_nlattr() does not check the length of the nested attribute. This can lead to an out-of-attribute read and allow a malformed nlattr (e.g., length 0) to be viewed as 8 byte integer and passed to priv->max_rate/min_rate. This patch adds the check based on nla_len() when check the nla_type(), which ensures that the length of these two attribute must equals sizeof(u64). Fixes: 4e8b86c0 ("mqprio: Introduce new hardware offload mode and shaper in mqprio") Reviewed-by:Victor Nogueira <victor@mojatatu.com> Signed-off-by:
Loading
Please sign in to comment