cls_cgroup: Fix oops when user send improperly ‘tc filter add’ request [Linux 2.6.30]

This Linux kernel change "cls_cgroup: Fix oops when user send improperly ‘tc filter add’ request" is included in the Linux 2.6.30 release. This change is authored by Minoru Usui <usui [at] mxm.nes.nec.co.jp> on Tue Jun 9 04:03:09 2009 -0700. The commit for this change in Linux stable tree is 52ea3a5 (patch).

cls_cgroup: Fix oops when user send improperly 'tc filter add' request

I found a bug in cls_cgroup_change() in cls_cgroup.c.
cls_cgroup_change() expected tca[TCA_OPTIONS] was set from user space properly,
but tc in iproute2-2.6.29-1 (which I used) didn't set it.

In the current source code of tc in git, it set tca[TCA_OPTIONS].

  git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git

If we always use a newest iproute2 in git when we use cls_cgroup,
we don't face this oops probably.
But I think, kernel shouldn't panic regardless of use program's behaviour.

Signed-off-by: Minoru Usui <[email protected]>
Signed-off-by: David S. Miller <[email protected]>

There are 3 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 net/sched/cls_cgroup.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/sched/cls_cgroup.c b/net/sched/cls_cgroup.c
index cc29b44..e5becb9 100644
--- a/net/sched/cls_cgroup.c
+++ b/net/sched/cls_cgroup.c
@@ -167,6 +167,9 @@ static int cls_cgroup_change(struct tcf_proto *tp, unsigned long base,
    struct tcf_exts e;
    int err;

+   if (!tca[TCA_OPTIONS])
+       return -EINVAL;
+
    if (head == NULL) {
        if (!handle)
            return -EINVAL;

Leave a Reply

Your email address will not be published. Required fields are marked *