On 01/23/2017 01:58 PM, Simon Horman wrote:
Hi Jamal,

On Sun, Jan 22, 2017 at 03:25:50PM -0500, Jamal Hadi Salim wrote:

...

diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index cd08df9..58cf1c5 100644
--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -24,6 +24,7 @@
  #include <net/net_namespace.h>
  #include <net/sock.h>
  #include <net/sch_generic.h>
+#include <net/pkt_cls.h>
  #include <net/act_api.h>
  #include <net/netlink.h>

@@ -33,6 +34,8 @@ static void free_tcf(struct rcu_head *head)

        free_percpu(p->cpu_bstats);
        free_percpu(p->cpu_qstats);
+       kfree(p->act_cookie->data);

Does the above need to be protected by a check for p->act_cookie being non-NULL?

Yep, that would be a NULL-deref. Why not just embedd tc_cookie as
suggested earlier, the struct is rather small anyway ...

+       kfree(p->act_cookie);
        kfree(p);
  }


...

@@ -575,6 +584,33 @@ struct tc_action *tcf_action_init_1(struct net *net, 
struct nlattr *nla,
        if (err < 0)
                goto err_mod;

+       if (tb[TCA_ACT_COOKIE]) {
+               int cklen = nla_len(tb[TCA_ACT_COOKIE]);
+
+               if (cklen > TC_COOKIE_MAX_SIZE) {
+                       err = -EINVAL;
+                       tcf_hash_release(a, bind);
+                       goto err_mod;
+               }
+
+               a->act_cookie = kzalloc(sizeof(*a->act_cookie), GFP_KERNEL);
+               if (!a->act_cookie) {
+                       err = -ENOMEM;
+                       tcf_hash_release(a, bind);
+                       goto err_mod;
+               }
+
+               a->act_cookie->data = nla_memdup(tb[TCA_ACT_COOKIE],
+                                                GFP_KERNEL);
+               if (!a->act_cookie->data) {
+                       err = -ENOMEM;
+                       kfree(a->act_cookie);
+                       tcf_hash_release(a, bind);
+                       goto err_mod;
+               }
+               a->act_cookie->len = cklen;

FWIW, the above looks correct but it also looks like the error handling
could be done less verbosely if the logic was moved to a separate function.

+       }
+
        /* module count goes up only when brand new policy is created
         * if it exists and is only bound to in a_o->init() then
         * ACT_P_CREATED is not returned (a zero is).
--
1.9.1


Reply via email to