[PATCH net] sch_netem: fix a divide by zero in tabledist()

Eric Dumazet Wed, 18 Sep 2019 08:06:19 -0700

syzbot managed to crash the kernel in tabledist() loading
an empty distribution table.


        t = dist->table[rnd % dist->size];

Simply return an error when such load is attempted.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <eduma...@google.com>
Reported-by: syzbot <syzkal...@googlegroups.com>
---
 net/sched/sch_netem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 
b17f2ed970e296adc57bed458ec3cced4fc6705b..f5cb35e550f8df557f2e444cc2fd142cab97789b
 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -777,7 +777,7 @@ static int get_dist_table(struct Qdisc *sch, struct 
disttable **tbl,
        struct disttable *d;
        int i;
 
-       if (n > NETEM_DIST_MAX)
+       if (!n || n > NETEM_DIST_MAX)
                return -EINVAL;
 
        d = kvmalloc(sizeof(struct disttable) + n * sizeof(s16), GFP_KERNEL);
-- 
2.23.0.237.gc6a4ce50a0-goog

[PATCH net] sch_netem: fix a divide by zero in tabledist()

Reply via email to