kernel_optimize_test/net/sched
Maxim Mikityanskiy 3b491dd593 sch_cake: Fix out of bounds when parsing TCP options and header
[ Upstream commit ba91c49dedbde758ba0b72f57ac90b06ddf8e548 ]

The TCP option parser in cake qdisc (cake_get_tcpopt and
cake_tcph_may_drop) could read one byte out of bounds. When the length
is 1, the execution flow gets into the loop, reads one byte of the
opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads
one more byte, which exceeds the length of 1.

This fix is inspired by commit 9609dad263 ("ipv4: tcp_input: fix stack
out of bounds when parsing TCP options.").

v2 changes:

Added doff validation in cake_get_tcphdr to avoid parsing garbage as TCP
header. Although it wasn't strictly an out-of-bounds access (memory was
allocated), garbage values could be read where CAKE expected the TCP
header if doff was smaller than 5.

Cc: Young Xiao <92siuyang@gmail.com>
Fixes: 8b7138814f ("sch_cake: Add optional ACK filter")
Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-06-23 14:42:43 +02:00
..
act_api.c Revert "net: sched: bump refcount for new action in ACT replace mode" 2021-04-14 08:42:14 +02:00
act_bpf.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-09-24 19:46:21 -07:00
act_connmark.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-09-24 19:46:21 -07:00
act_csum.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-09-24 19:46:21 -07:00
act_ct.c net/sched: act_ct: handle DNAT tuple collision 2021-06-23 14:42:42 +02:00
act_ctinfo.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-10-05 18:40:01 -07:00
act_gact.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-09-24 19:46:21 -07:00
act_gate.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-10-05 18:40:01 -07:00
act_ife.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-09-24 19:46:21 -07:00
act_ipt.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-09-24 19:46:21 -07:00
act_meta_mark.c
act_meta_skbprio.c
act_meta_skbtcindex.c
act_mirred.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-09-24 19:46:21 -07:00
act_mpls.c net/sched: act_mpls: ensure LSE is pullable before reading it 2020-12-03 11:13:37 -08:00
act_nat.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-09-24 19:46:21 -07:00
act_pedit.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-09-24 19:46:21 -07:00
act_police.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-09-24 19:46:21 -07:00
act_sample.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-09-24 19:46:21 -07:00
act_simple.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-09-24 19:46:21 -07:00
act_skbedit.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-09-24 19:46:21 -07:00
act_skbmod.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-09-24 19:46:21 -07:00
act_tunnel_key.c net/sched: act_tunnel_key: fix OOB write in case of IPv6 ERSPAN tunnels 2020-10-20 21:10:41 -07:00
act_vlan.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-10-05 18:40:01 -07:00
cls_api.c net: zero-initialize tc skb extension on allocation 2021-06-03 09:00:51 +02:00
cls_basic.c
cls_bpf.c
cls_cgroup.c
cls_flow.c Remove uninitialized_var() macro for v5.9-rc1 2020-08-04 13:49:43 -07:00
cls_flower.c net/sched: cls_flower: use ntohs for struct flow_dissector_key_ports 2021-05-19 10:12:53 +02:00
cls_fw.c
cls_matchall.c
cls_route.c
cls_rsvp.c
cls_rsvp.h
cls_rsvp6.c
cls_tcindex.c net_sched: avoid shift-out-of-bounds in tcindex_set_parms() 2021-01-27 11:55:24 +01:00
cls_u32.c net/sched: cls_u32: Replace one-element array with flexible-array member 2020-09-28 18:48:42 -07:00
em_canid.c
em_cmp.c
em_ipset.c
em_ipt.c
em_meta.c
em_nbyte.c
em_text.c
em_u32.c
ematch.c
Kconfig net: sched: incorrect Kconfig dependencies on Netfilter modules 2021-02-23 15:53:23 +01:00
Makefile
sch_api.c net: sched: avoid duplicates in classes dump 2021-03-17 17:06:14 +01:00
sch_atm.c
sch_blackhole.c
sch_cake.c sch_cake: Fix out of bounds when parsing TCP options and header 2021-06-23 14:42:43 +02:00
sch_cbq.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-08-05 20:13:21 -07:00
sch_cbs.c
sch_choke.c net: sched: validate stab values 2021-03-30 14:31:57 +02:00
sch_codel.c
sch_drr.c
sch_dsmark.c sch_dsmark: fix a NULL deref in qdisc_reset() 2021-06-03 09:00:50 +02:00
sch_etf.c
sch_ets.c
sch_fifo.c
sch_fq_codel.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-08-05 20:13:21 -07:00
sch_fq_pie.c net/sched: fq_pie: fix OOB access in the traffic path 2021-06-03 09:00:28 +02:00
sch_fq.c
sch_generic.c net: sched: fix tx action reschedule issue with stopped queue 2021-06-03 09:00:47 +02:00
sch_gred.c net: sched: validate stab values 2021-03-30 14:31:57 +02:00
sch_hfsc.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-08-05 20:13:21 -07:00
sch_hhf.c
sch_htb.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-08-05 20:13:21 -07:00
sch_ingress.c
sch_mq.c
sch_mqprio.c
sch_multiq.c
sch_netem.c netem: fix zero division in tabledist 2020-10-29 11:45:47 -07:00
sch_pie.c
sch_plug.c
sch_prio.c
sch_qfq.c
sch_red.c net: sched: validate stab values 2021-03-30 14:31:57 +02:00
sch_sfb.c
sch_sfq.c net: sched: validate stab values 2021-03-30 14:31:57 +02:00
sch_skbprio.c
sch_taprio.c net: sched: tapr: prevent cycle_time == 0 in parse_taprio_schedule 2021-05-19 10:12:57 +02:00
sch_tbf.c
sch_teql.c net: sched: sch_teql: fix null-pointer dereference 2021-04-14 08:42:02 +02:00