Re: [PATCH v2] net/sched: mqprio: Add length check for TCA_MQPRIO_{MAX/MIN}_RATE64

From: Victor Nogueira
Date: Mon Jul 24 2023 - 17:30:00 EST

Next message: Arnaldo Carvalho de Melo: "Re: [PATCH 1/1] perf dlfilter: Initialize addr_location before passing it to thread__find_symbol_fb()"
Previous message: Arnaldo Carvalho de Melo: "Re: [PATCH v1 0/4] Perf tool LTO support"
Next in thread: Jakub Kicinski: "Re: [PATCH v2] net/sched: mqprio: Add length check for TCA_MQPRIO_{MAX/MIN}_RATE64"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 23/07/2023 22:46, Lin Ma wrote:

The nla_for_each_nested parsing in function mqprio_parse_nlattr() does
not check the length of the nested attribute. This can lead to an
out-of-attribute read and allow a malformed nlattr (e.g., length 0) to
be viewed as 8 byte integer and passed to priv->max_rate/min_rate.

This patch adds the check based on nla_len() when check the nla_type(),
which ensures that the length of these two attribute must equals
sizeof(u64).

Fixes: 4e8b86c06269 ("mqprio: Introduce new hardware offload mode and shaper in mqprio")
Signed-off-by: Lin Ma <linma@xxxxxxxxxx>

Reviewed-by: Victor Nogueira <victor@xxxxxxxxxxxx>

Next message: Arnaldo Carvalho de Melo: "Re: [PATCH 1/1] perf dlfilter: Initialize addr_location before passing it to thread__find_symbol_fb()"
Previous message: Arnaldo Carvalho de Melo: "Re: [PATCH v1 0/4] Perf tool LTO support"
Next in thread: Jakub Kicinski: "Re: [PATCH v2] net/sched: mqprio: Add length check for TCA_MQPRIO_{MAX/MIN}_RATE64"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]