diff options
author | Toke Høiland-Jørgensen <toke@redhat.com> | 2019-01-09 17:09:42 +0100 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2019-01-15 20:12:00 -0800 |
commit | f6bab199315b70fd83fe3ee0947bc84c7a35f3d4 (patch) | |
tree | c662d696e0bfe2ee2be86cbdf0da095d9d6389ba /net/sched/sch_tbf.c | |
parent | 80b3671e9377916bf2b02e56113fa7377ce5705a (diff) | |
download | linux-f6bab199315b70fd83fe3ee0947bc84c7a35f3d4.tar.bz2 |
sched: Avoid dereferencing skb pointer after child enqueue
Parent qdiscs may dereference the pointer to the enqueued skb after
enqueue. However, both CAKE and TBF call consume_skb() on the original skb
when splitting GSO packets, leading to a potential use-after-free in the
parent. Fix this by avoiding dereferencing the skb pointer after enqueueing
to the child.
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/sched/sch_tbf.c')
-rw-r--r-- | net/sched/sch_tbf.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c index 942dcca09cf2..7f272a9070c5 100644 --- a/net/sched/sch_tbf.c +++ b/net/sched/sch_tbf.c @@ -185,6 +185,7 @@ static int tbf_enqueue(struct sk_buff *skb, struct Qdisc *sch, struct sk_buff **to_free) { struct tbf_sched_data *q = qdisc_priv(sch); + unsigned int len = qdisc_pkt_len(skb); int ret; if (qdisc_pkt_len(skb) > q->max_size) { @@ -200,7 +201,7 @@ static int tbf_enqueue(struct sk_buff *skb, struct Qdisc *sch, return ret; } - qdisc_qstats_backlog_inc(sch, skb); + sch->qstats.backlog += len; sch->q.qlen++; return NET_XMIT_SUCCESS; } |