net sched actions: allocate act cookie early
authorWolfgang Bumiller <w.bumiller@proxmox.com>
Thu, 20 Apr 2017 12:08:26 +0000 (14:08 +0200)
committerDavid S. Miller <davem@davemloft.net>
Thu, 20 Apr 2017 20:32:07 +0000 (16:32 -0400)
commite0535ce58b92d7baf0b33284a6c4f8f0338f943e
tree09149bb2d06e45a11b06bed0ce7c4afb453490a8
parent43af390573ad5539b6087831a1197747a0e672ad
net sched actions: allocate act cookie early

Policing filters do not use the TCA_ACT_* enum and the tb[]
nlattr array in tcf_action_init_1() doesn't get filled for
them so we should not try to look for a TCA_ACT_COOKIE
attribute in the then uninitialized array.
The error handling in cookie allocation then calls
tcf_hash_release() leading to invalid memory access later
on.
Additionally, if cookie allocation fails after an already
existing non-policing filter has successfully been changed,
tcf_action_release() should not be called, also we would
have to roll back the changes in the error handling, so
instead we now allocate the cookie early and assign it on
success at the end.

CVE-2017-7979
Fixes: 1045ba77a596 ("net sched actions: Add support for user cookies")
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sched/act_api.c