On Sun, Nov 27, 2016 at 7:58 AM, Amir Vadai <a...@vadai.me> wrote:
> Should not allow setting a negative offset that goes below the skb head.
...
> diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
> index b54d56d4959b..e79e8a88f2d2 100644
> --- a/net/sched/act_pedit.c
> +++ b/net/sched/act_pedit.c
> @@ -154,8 +154,11 @@ static int tcf_pedit(struct sk_buff *skb, const struct
> tc_action *a,
> }
>
> ptr = skb_header_pointer(skb, off + offset, 4,
> &_data);
> - if (!ptr)
> + if ((unsigned char *)ptr < skb->head) {
ptr returned could be &_data, which is on stack, so why this comparison
makes sense for this case?
> + pr_info("tc filter pedit offset out of
> bounds\n");
> goto bad;
> + }
> +
> /* just do it, baby */
> *ptr = ((*ptr & tkey->mask) ^ tkey->val);
> if (ptr == &_data)
> --
> 2.10.2
>
