Skip to content
Commit 61678d28 authored by Cong Wang's avatar Cong Wang Committed by David S. Miller
Browse files

net_sched: fix datalen for ematch 



syzbot reported an out-of-bound access in em_nbyte. As initially
analyzed by Eric, this is because em_nbyte sets its own em->datalen
in em_nbyte_change() other than the one specified by user, but this
value gets overwritten later by its caller tcf_em_validate().
We should leave em->datalen untouched to respect their choices.

I audit all the in-tree ematch users, all of those implement
->change() set em->datalen, so we can just avoid setting it twice
in this case.

Reported-and-tested-by: default avatar <syzbot+5af9a90dad568aa9f611@syzkaller.appspotmail.com>
Reported-by: default avatar <syzbot+2f07903a5b05e7f36410@syzkaller.appspotmail.com>
Fixes: 1da177e4

 ("Linux-2.6.12-rc2")
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 42c9bdae
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment