summaryrefslogtreecommitdiffstats
path: root/net/core/dev.c
diff options
context:
space:
mode:
authorEric Dumazet <edumazet@google.com>2012-07-08 21:45:10 +0000
committerDavid S. Miller <davem@davemloft.net>2012-07-09 14:50:54 -0700
commit91c68ce2b26319248a32d7baa1226f819d283758 (patch)
treeeeeea052a0b13d2f97435fe33caa5139e4729a53 /net/core/dev.c
parent96ca7ffe748bf91f851e6aa4479aa11c8b1122ba (diff)
downloadop-kernel-dev-91c68ce2b26319248a32d7baa1226f819d283758.zip
op-kernel-dev-91c68ce2b26319248a32d7baa1226f819d283758.tar.gz
net: cgroup: fix out of bounds accesses
dev->priomap is allocated by extend_netdev_table() called from update_netdev_tables(). And this is only called if write_priomap() is called. But if write_priomap() is not called, it seems we can have out of bounds accesses in cgrp_destroy(), read_priomap() & skb_update_prio() With help from Gao Feng Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Neil Horman <nhorman@tuxdriver.com> Cc: Gao feng <gaofeng@cn.fujitsu.com> Acked-by: Gao feng <gaofeng@cn.fujitsu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/core/dev.c')
-rw-r--r--net/core/dev.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/net/core/dev.c b/net/core/dev.c
index 84f01ba..0f28a9e 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2444,8 +2444,12 @@ static void skb_update_prio(struct sk_buff *skb)
{
struct netprio_map *map = rcu_dereference_bh(skb->dev->priomap);
- if ((!skb->priority) && (skb->sk) && map)
- skb->priority = map->priomap[skb->sk->sk_cgrp_prioidx];
+ if (!skb->priority && skb->sk && map) {
+ unsigned int prioidx = skb->sk->sk_cgrp_prioidx;
+
+ if (prioidx < map->priomap_len)
+ skb->priority = map->priomap[prioidx];
+ }
}
#else
#define skb_update_prio(skb)
OpenPOWER on IntegriCloud