On 17-01-17 01:40 PM, Cong Wang wrote:
On Tue, Jan 17, 2017 at 3:11 AM, Jamal Hadi Salim <j...@mojatatu.com> wrote:@@ -575,6 +583,23 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla, if (err < 0) goto err_mod;+ if (tb[TCA_ACT_COOKIE]) { + if (nla_len(tb[TCA_ACT_COOKIE]) > TC_COOKIE_MAX_SIZE) { + err = -EINVAL; + goto err_mod; + } + + a->act_ck = kzalloc(sizeof(*a->act_ck), GFP_KERNEL); + if (unlikely(!a->act_ck)) { + err = -ENOMEM; + goto err_mod; + } +I am afraid you can't just goto err_mod for error case here, b/c ->init() is already called before this, you probably either have to call ->destroy() for error path, or move this before ->init().
Thanks for catching this. Deserves a respin. Easier to move it earlier. cheers, jamal
