net/sched: flower: Fix null pointer dereference when run tc vlan command

Zahari issued tc vlan command without setting vlan_ethtype, which will crash kernel. To avoid this, we must check tb[TCA_FLOWER_KEY_VLAN_ETH_TYPE] is not null before use it. Also we don't need to dump vlan_ethtype or cvlan_ethtype in this case. Fixes: d64efd0926ba ('net/sched: flower: Add supprt for matching on QinQ vlan headers') Signed-off-by: Jianbo Liu <jianbol@mellanox.com> Reported-by: Zahari Doychev <zahari.doychev@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2018-07-09 02:26:20 +00:00 · 2018-07-09 02:26:20 +00:00 · 5e9a0fe492
commit 5e9a0fe492
parent db560d1612
1 changed files with 26 additions and 22 deletions
--- a/net/sched/cls_flower.c
+++ b/net/sched/cls_flower.c
@ -605,20 +605,22 @@ static int fl_set_key(struct net *net, struct nlattr **tb,
 					TCA_FLOWER_KEY_VLAN_PRIO, &key->vlan,
 					&mask->vlan);

-			ethertype = nla_get_be16(tb[TCA_FLOWER_KEY_VLAN_ETH_TYPE]);
-			if (eth_type_vlan(ethertype)) {
-				fl_set_key_vlan(tb, ethertype,
-						TCA_FLOWER_KEY_CVLAN_ID,
-						TCA_FLOWER_KEY_CVLAN_PRIO,
-						&key->cvlan, &mask->cvlan);
-				fl_set_key_val(tb, &key->basic.n_proto,
-					       TCA_FLOWER_KEY_CVLAN_ETH_TYPE,
-					       &mask->basic.n_proto,
-					       TCA_FLOWER_UNSPEC,
-					       sizeof(key->basic.n_proto));
-			} else {
-				key->basic.n_proto = ethertype;
-				mask->basic.n_proto = cpu_to_be16(~0);
+			if (tb[TCA_FLOWER_KEY_VLAN_ETH_TYPE]) {
+				ethertype = nla_get_be16(tb[TCA_FLOWER_KEY_VLAN_ETH_TYPE]);
+				if (eth_type_vlan(ethertype)) {
+					fl_set_key_vlan(tb, ethertype,
+							TCA_FLOWER_KEY_CVLAN_ID,
+							TCA_FLOWER_KEY_CVLAN_PRIO,
+							&key->cvlan, &mask->cvlan);
+					fl_set_key_val(tb, &key->basic.n_proto,
+						       TCA_FLOWER_KEY_CVLAN_ETH_TYPE,
+						       &mask->basic.n_proto,
+						       TCA_FLOWER_UNSPEC,
+						       sizeof(key->basic.n_proto));
+				} else {
+					key->basic.n_proto = ethertype;
+					mask->basic.n_proto = cpu_to_be16(~0);
+				}
 			}
 		} else {
 			key->basic.n_proto = ethertype;
@ -1344,14 +1346,16 @@ static int fl_dump(struct net *net, struct tcf_proto *tp, void *fh,
 			 key->cvlan.vlan_tpid)))
 		goto nla_put_failure;

-	if (mask->cvlan.vlan_tpid) {
-		if (nla_put_be16(skb, TCA_FLOWER_KEY_CVLAN_ETH_TYPE,
-				 key->basic.n_proto))
-			goto nla_put_failure;
-	} else if (mask->vlan.vlan_tpid) {
-		if (nla_put_be16(skb, TCA_FLOWER_KEY_VLAN_ETH_TYPE,
-				 key->basic.n_proto))
-			goto nla_put_failure;
+	if (mask->basic.n_proto) {
+		if (mask->cvlan.vlan_tpid) {
+			if (nla_put_be16(skb, TCA_FLOWER_KEY_CVLAN_ETH_TYPE,
+					 key->basic.n_proto))
+				goto nla_put_failure;
+		} else if (mask->vlan.vlan_tpid) {
+			if (nla_put_be16(skb, TCA_FLOWER_KEY_VLAN_ETH_TYPE,
+					 key->basic.n_proto))
+				goto nla_put_failure;
+		}
 	}

 	if ((key->basic.n_proto == htons(ETH_P_IP) ||