diff options
| author | Nogah Frankel <nogahf@mellanox.com> | 2017-12-04 13:31:11 +0200 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2018-03-03 15:51:45 +0000 |
| commit | 94610f7d8508a161105a53f6fb34145af180a667 (patch) | |
| tree | adea1333b99e8ceb49ae467c5b16fc50f96a09b9 | |
| parent | e45719379ab686bc5fb0999469a7a4a718eeb117 (diff) | |
| download | linux-stable-94610f7d8508a161105a53f6fb34145af180a667.tar.gz linux-stable-94610f7d8508a161105a53f6fb34145af180a667.tar.bz2 linux-stable-94610f7d8508a161105a53f6fb34145af180a667.zip | |
net_sched: red: Avoid illegal values
commit 8afa10cbe281b10371fee5a87ab266e48d71a7f9 upstream.
Check the qmin & qmax values doesn't overflow for the given Wlog value.
Check that qmin <= qmax.
Fixes: a783474591f2 ("[PKT_SCHED]: Generic RED layer")
Signed-off-by: Nogah Frankel <nogahf@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
| -rw-r--r-- | include/net/red.h | 11 | ||||
| -rw-r--r-- | net/sched/sch_choke.c | 3 | ||||
| -rw-r--r-- | net/sched/sch_gred.c | 3 | ||||
| -rw-r--r-- | net/sched/sch_red.c | 2 | ||||
| -rw-r--r-- | net/sched/sch_sfq.c | 3 |
5 files changed, 22 insertions, 0 deletions
diff --git a/include/net/red.h b/include/net/red.h index ba5039418a93..3618cdfec884 100644 --- a/include/net/red.h +++ b/include/net/red.h @@ -167,6 +167,17 @@ static inline void red_set_vars(struct red_vars *v) v->qcount = -1; } +static inline bool red_check_params(u32 qth_min, u32 qth_max, u8 Wlog) +{ + if (fls(qth_min) + Wlog > 32) + return false; + if (fls(qth_max) + Wlog > 32) + return false; + if (qth_max < qth_min) + return false; + return true; +} + static inline void red_set_parms(struct red_parms *p, u32 qth_min, u32 qth_max, u8 Wlog, u8 Plog, u8 Scell_log, u8 *stab, u32 max_P) diff --git a/net/sched/sch_choke.c b/net/sched/sch_choke.c index ee0223aaf399..290d856e62b8 100644 --- a/net/sched/sch_choke.c +++ b/net/sched/sch_choke.c @@ -419,6 +419,9 @@ static int choke_change(struct Qdisc *sch, struct nlattr *opt) ctl = nla_data(tb[TCA_CHOKE_PARMS]); + if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog)) + return -EINVAL; + if (ctl->limit > CHOKE_MAX_QUEUE) return -EINVAL; diff --git a/net/sched/sch_gred.c b/net/sched/sch_gred.c index 12cbc09157fc..bf5882a4737f 100644 --- a/net/sched/sch_gred.c +++ b/net/sched/sch_gred.c @@ -388,6 +388,9 @@ static inline int gred_change_vq(struct Qdisc *sch, int dp, struct gred_sched *table = qdisc_priv(sch); struct gred_sched_data *q = table->tab[dp]; + if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog)) + return -EINVAL; + if (!q) { table->tab[dp] = q = *prealloc; *prealloc = NULL; diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c index f4972baf8881..9f92792ebbc6 100644 --- a/net/sched/sch_red.c +++ b/net/sched/sch_red.c @@ -199,6 +199,8 @@ static int red_change(struct Qdisc *sch, struct nlattr *opt) max_P = tb[TCA_RED_MAX_P] ? nla_get_u32(tb[TCA_RED_MAX_P]) : 0; ctl = nla_data(tb[TCA_RED_PARMS]); + if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog)) + return -EINVAL; if (ctl->limit > 0) { child = fifo_create_dflt(sch, &bfifo_qdisc_ops, ctl->limit); diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c index baebaaa995c1..c5878bb638d2 100644 --- a/net/sched/sch_sfq.c +++ b/net/sched/sch_sfq.c @@ -658,6 +658,9 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt) if (ctl->divisor && (!is_power_of_2(ctl->divisor) || ctl->divisor > 65536)) return -EINVAL; + if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max, + ctl_v1->Wlog)) + return -EINVAL; if (ctl_v1 && ctl_v1->qth_min) { p = kmalloc(sizeof(*p), GFP_KERNEL); if (!p) |