blob: abca41839ed6d006223ad48312d9561a65995054 [file] [log] [blame]
From 4f9835259c16fd2c096c968fd7fdf0751b10cb88 Mon Sep 17 00:00:00 2001
From: Cong Wang <>
Date: Wed, 22 Jan 2020 15:42:02 -0800
Subject: [PATCH] net_sched: fix datalen for ematch
commit 61678d28d4a45ef376f5d02a839cc37509ae9281 upstream.
syzbot reported an out-of-bound access in em_nbyte. As initially
analyzed by Eric, this is because em_nbyte sets its own em->datalen
in em_nbyte_change() other than the one specified by user, but this
value gets overwritten later by its caller tcf_em_validate().
We should leave em->datalen untouched to respect their choices.
I audit all the in-tree ematch users, all of those implement
->change() set em->datalen, so we can just avoid setting it twice
in this case.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: Eric Dumazet <>
Signed-off-by: Cong Wang <>
Reviewed-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
Signed-off-by: Paul Gortmaker <>
diff --git a/net/sched/ematch.c b/net/sched/ematch.c
index 8f2ad706784d..d0140a92694a 100644
--- a/net/sched/ematch.c
+++ b/net/sched/ematch.c
@@ -263,12 +263,12 @@ static int tcf_em_validate(struct tcf_proto *tp,
em->data = (unsigned long) v;
+ em->datalen = data_len;
em->matchid = em_hdr->matchid;
em->flags = em_hdr->flags;
- em->datalen = data_len;
em->net = net;
err = 0;