Re: [PATCH] net: sched: Fix memory exposure from short TCA_U32_SEL
From: Jamal Hadi Salim
Date: Mon Aug 27 2018 - 07:47:41 EST
On 2018-08-26 5:56 p.m., Kees Cook wrote:
On Sun, Aug 26, 2018 at 10:30 AM, Jamal Hadi Salim <jhs@xxxxxxxxxxxx> wrote:
We should add an nla_policy later.
What's the right way to do that for cases like this?
Meant something like attached which you alluded-to in your comments
would give an upper bound (Max allowed keys is 128).
cheers,
jamal
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
index d5d2a6dc3921..cb7a3fa0e728 100644
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -761,7 +761,9 @@ static const struct nla_policy u32_policy[TCA_U32_MAX + 1] = {
[TCA_U32_HASH] = { .type = NLA_U32 },
[TCA_U32_LINK] = { .type = NLA_U32 },
[TCA_U32_DIVISOR] = { .type = NLA_U32 },
- [TCA_U32_SEL] = { .len = sizeof(struct tc_u32_sel) },
+ [TCA_U32_SEL] = { .type = NLA_BINARY,
+ .len = (sizeof(struct tc_u32_sel) +
+ (128*sizeof(struct tc_u32_key)) },
[TCA_U32_INDEV] = { .type = NLA_STRING, .len = IFNAMSIZ },
[TCA_U32_MARK] = { .len = sizeof(struct tc_u32_mark) },
[TCA_U32_FLAGS] = { .type = NLA_U32 },