| From c44d51150e6c9f49d31d67636bc1f158bf0eac54 Mon Sep 17 00:00:00 2001 |
| From: Cong Wang <xiyou.wangcong@gmail.com> |
| Date: Wed, 11 Mar 2020 22:42:28 -0700 |
| Subject: [PATCH] net_sched: keep alloc_hash updated after hash allocation |
| |
| commit 0d1c3530e1bd38382edef72591b78e877e0edcd3 upstream. |
| |
| In commit 599be01ee567 ("net_sched: fix an OOB access in cls_tcindex") |
| I moved cp->hash calculation before the first |
| tcindex_alloc_perfect_hash(), but cp->alloc_hash is left untouched. |
| This difference could lead to another out of bound access. |
| |
| cp->alloc_hash should always be the size allocated, we should |
| update it after this tcindex_alloc_perfect_hash(). |
| |
| Reported-and-tested-by: syzbot+dcc34d54d68ef7d2d53d@syzkaller.appspotmail.com |
| Reported-and-tested-by: syzbot+c72da7b9ed57cde6fca2@syzkaller.appspotmail.com |
| Fixes: 599be01ee567 ("net_sched: fix an OOB access in cls_tcindex") |
| Cc: Jamal Hadi Salim <jhs@mojatatu.com> |
| Cc: Jiri Pirko <jiri@resnulli.us> |
| Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c |
| index 09b7dc5fe7e0..ab95bbe20e3d 100644 |
| --- a/net/sched/cls_tcindex.c |
| +++ b/net/sched/cls_tcindex.c |
| @@ -357,6 +357,7 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base, |
| |
| if (tcindex_alloc_perfect_hash(net, cp) < 0) |
| goto errout; |
| + cp->alloc_hash = cp->hash; |
| for (i = 0; i < min(cp->hash, p->hash); i++) |
| cp->perfect[i].res = p->perfect[i].res; |
| balloc = 1; |
| -- |
| 2.7.4 |
| |
