diff options
| author | Eric Dumazet <edumazet@google.com> | 2012-07-08 21:45:10 +0000 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2012-07-09 14:50:54 -0700 |
| commit | 91c68ce2b26319248a32d7baa1226f819d283758 (patch) | |
| tree | eeeea052a0b13d2f97435fe33caa5139e4729a53 /net/core/dev.c | |
| parent | 96ca7ffe748bf91f851e6aa4479aa11c8b1122ba (diff) | |
| download | op-kernel-dev-91c68ce2b26319248a32d7baa1226f819d283758.zip op-kernel-dev-91c68ce2b26319248a32d7baa1226f819d283758.tar.gz | |
net: cgroup: fix out of bounds accesses
dev->priomap is allocated by extend_netdev_table() called from
update_netdev_tables().
And this is only called if write_priomap() is called.
But if write_priomap() is not called, it seems we can have out of bounds
accesses in cgrp_destroy(), read_priomap() & skb_update_prio()
With help from Gao Feng
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Cc: Gao feng <gaofeng@cn.fujitsu.com>
Acked-by: Gao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/core/dev.c')
| -rw-r--r-- | net/core/dev.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/net/core/dev.c b/net/core/dev.c index 84f01ba..0f28a9e 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -2444,8 +2444,12 @@ static void skb_update_prio(struct sk_buff *skb) { struct netprio_map *map = rcu_dereference_bh(skb->dev->priomap); - if ((!skb->priority) && (skb->sk) && map) - skb->priority = map->priomap[skb->sk->sk_cgrp_prioidx]; + if (!skb->priority && skb->sk && map) { + unsigned int prioidx = skb->sk->sk_cgrp_prioidx; + + if (prioidx < map->priomap_len) + skb->priority = map->priomap[prioidx]; + } } #else #define skb_update_prio(skb) |
