On Mon, Oct 07, 2019 at 01:26:29PM -0700, Cong Wang wrote:
> For TCA_ACT_KIND, we have to keep the backward compatibility too,
> and rely on nla_strlcpy() to check and terminate the string with
> a NUL.
>
> Note for TC actions, nla_strcmp() is already used to compare kind
> strings, so we don't need to fix other places.
>
> Fixes: 199ce850ce11 ("net_sched: add policy validation for action attributes")
> Reported-by: Marcelo Ricardo Leitner <marcelo.leit...@gmail.com>
Reviewed-by: Marcelo Ricardo Leitner <marcelo.leit...@gmail.com>
> Cc: Jamal Hadi Salim <j...@mojatatu.com>
> Cc: Jiri Pirko <j...@resnulli.us>
> Signed-off-by: Cong Wang <xiyou.wangc...@gmail.com>
> ---
> net/sched/act_api.c | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/net/sched/act_api.c b/net/sched/act_api.c
> index da99667589f8..4684f2f24b17 100644
> --- a/net/sched/act_api.c
> +++ b/net/sched/act_api.c
> @@ -832,8 +832,7 @@ static struct tc_cookie *nla_memdup_cookie(struct nlattr
> **tb)
> }
>
> static const struct nla_policy tcf_action_policy[TCA_ACT_MAX + 1] = {
> - [TCA_ACT_KIND] = { .type = NLA_NUL_STRING,
> - .len = IFNAMSIZ - 1 },
> + [TCA_ACT_KIND] = { .type = NLA_STRING },
> [TCA_ACT_INDEX] = { .type = NLA_U32 },
> [TCA_ACT_COOKIE] = { .type = NLA_BINARY,
> .len = TC_COOKIE_MAX_SIZE },
> @@ -865,8 +864,10 @@ struct tc_action *tcf_action_init_1(struct net *net,
> struct tcf_proto *tp,
> NL_SET_ERR_MSG(extack, "TC action kind must be
> specified");
> goto err_out;
> }
> - nla_strlcpy(act_name, kind, IFNAMSIZ);
> -
> + if (nla_strlcpy(act_name, kind, IFNAMSIZ) >= IFNAMSIZ) {
> + NL_SET_ERR_MSG(extack, "TC action name too long");
> + goto err_out;
> + }
> if (tb[TCA_ACT_COOKIE]) {
> cookie = nla_memdup_cookie(tb);
> if (!cookie) {
> --
> 2.21.0
>
