[SRU][OEM-5.17/OEM-6.0][PATCH 1/1] net: sched: atm: dont intepret cls results when asked to drop
Yuxuan Luo
yuxuan.luo at canonical.com
Wed Apr 5 19:53:06 UTC 2023
From: Jamal Hadi Salim <jhs at mojatatu.com>
If asked to drop a packet via TC_ACT_SHOT it is unsafe to assume
res.class contains a valid pointer
Fixes: b0188d4dbe5f ("[NET_SCHED]: sch_atm: Lindent")
Signed-off-by: Jamal Hadi Salim <jhs at mojatatu.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
(cherry picked from commit a2965c7be0522eaa18808684b7b82b248515511b)
CVE-2023-23455
Signed-off-by: Yuxuan Luo <yuxuan.luo at canonical.com>
---
net/sched/sch_atm.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/sched/sch_atm.c b/net/sched/sch_atm.c
index 4c8e994cf0a53..06dabd7e29000 100644
--- a/net/sched/sch_atm.c
+++ b/net/sched/sch_atm.c
@@ -397,10 +397,13 @@ static int atm_tc_enqueue(struct sk_buff *skb, struct Qdisc *sch,
result = tcf_classify(skb, NULL, fl, &res, true);
if (result < 0)
continue;
+ if (result == TC_ACT_SHOT)
+ goto done;
+
flow = (struct atm_flow_data *)res.class;
if (!flow)
flow = lookup_flow(sch, res.classid);
- goto done;
+ goto drop;
}
}
flow = NULL;
--
2.34.1
More information about the kernel-team
mailing list