net: sched: ife: handle malformed tlv length

[ Upstream commit cc74eddd0ff325d57373cea99f642b787d7f76f5 ] There is currently no handling to check on a invalid tlv length. This patch adds such handling to avoid killing the kernel with a malformed ife packet. Signed-off-by: Alexander Aring <aring@mojatatu.com> Reviewed-by: Yotam Gigi <yotam.gi@gmail.com> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Alexander Aring <aring@mojatatu.com> 2018-04-20 15:15:04 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-04-29 11:33:13 +0200
commit: 388f3d9708fcc96cea44fe343ffe055e58ba6e6b (patch)
tree: 1a2ee018b07ff9ea59155db383b47d9fcca64e4d /net/sched/act_ife.c
parent: 75020d6319eec226a5829359a23322a69f1d7525 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c
index 4b4e4d490f42..85757af7f150 100644
--- a/net/sched/act_ife.c
+++ b/net/sched/act_ife.c
@@ -639,7 +639,12 @@ static int tcf_ife_decode(struct sk_buff *skb, const struct tc_action *a,
 		u16 mtype;
 		u16 dlen;
 
-		curr_data = ife_tlv_meta_decode(tlv_data, &mtype, &dlen, NULL);
+		curr_data = ife_tlv_meta_decode(tlv_data, ifehdr_end, &mtype,
+						&dlen, NULL);
+		if (!curr_data) {
+			qstats_drop_inc(this_cpu_ptr(ife->common.cpu_qstats));
+			return TC_ACT_SHOT;
+		}
 
 		if (find_decode_metaid(skb, ife, mtype, dlen, curr_data)) {
 			/* abuse overlimits to count when we receive metadata
author	Alexander Aring <aring@mojatatu.com>	2018-04-20 15:15:04 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-04-29 11:33:13 +0200
commit	388f3d9708fcc96cea44fe343ffe055e58ba6e6b (patch)
tree	1a2ee018b07ff9ea59155db383b47d9fcca64e4d /net/sched/act_ife.c
parent	75020d6319eec226a5829359a23322a69f1d7525 (diff)