]>
Commit | Line | Data |
---|---|---|
373f9370 GKH |
1 | From foo@baz Wed Mar 11 11:44:33 CET 2015 |
2 | From: Daniel Borkmann <daniel@iogearbox.net> | |
3 | Date: Thu, 5 Feb 2015 18:44:04 +0100 | |
4 | Subject: rtnetlink: ifla_vf_policy: fix misuses of NLA_BINARY | |
5 | ||
6 | From: Daniel Borkmann <daniel@iogearbox.net> | |
7 | ||
8 | [ Upstream commit 364d5716a7adb91b731a35765d369602d68d2881 ] | |
9 | ||
10 | ifla_vf_policy[] is wrong in advertising its individual member types as | |
11 | NLA_BINARY since .type = NLA_BINARY in combination with .len declares the | |
12 | len member as *max* attribute length [0, len]. | |
13 | ||
14 | The issue is that when do_setvfinfo() is being called to set up a VF | |
15 | through ndo handler, we could set corrupted data if the attribute length | |
16 | is less than the size of the related structure itself. | |
17 | ||
18 | The intent is exactly the opposite, namely to make sure to pass at least | |
19 | data of minimum size of len. | |
20 | ||
21 | Fixes: ebc08a6f47ee ("rtnetlink: Add VF config code to rtnetlink") | |
22 | Cc: Mitch Williams <mitch.a.williams@intel.com> | |
23 | Cc: Jeff Kirsher <jeffrey.t.kirsher@intel.com> | |
24 | Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | |
25 | Acked-by: Thomas Graf <tgraf@suug.ch> | |
26 | Signed-off-by: David S. Miller <davem@davemloft.net> | |
27 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
28 | --- | |
29 | net/core/rtnetlink.c | 18 ++++++------------ | |
30 | 1 file changed, 6 insertions(+), 12 deletions(-) | |
31 | ||
32 | --- a/net/core/rtnetlink.c | |
33 | +++ b/net/core/rtnetlink.c | |
34 | @@ -1237,18 +1237,12 @@ static const struct nla_policy ifla_vfin | |
35 | }; | |
36 | ||
37 | static const struct nla_policy ifla_vf_policy[IFLA_VF_MAX+1] = { | |
38 | - [IFLA_VF_MAC] = { .type = NLA_BINARY, | |
39 | - .len = sizeof(struct ifla_vf_mac) }, | |
40 | - [IFLA_VF_VLAN] = { .type = NLA_BINARY, | |
41 | - .len = sizeof(struct ifla_vf_vlan) }, | |
42 | - [IFLA_VF_TX_RATE] = { .type = NLA_BINARY, | |
43 | - .len = sizeof(struct ifla_vf_tx_rate) }, | |
44 | - [IFLA_VF_SPOOFCHK] = { .type = NLA_BINARY, | |
45 | - .len = sizeof(struct ifla_vf_spoofchk) }, | |
46 | - [IFLA_VF_RATE] = { .type = NLA_BINARY, | |
47 | - .len = sizeof(struct ifla_vf_rate) }, | |
48 | - [IFLA_VF_LINK_STATE] = { .type = NLA_BINARY, | |
49 | - .len = sizeof(struct ifla_vf_link_state) }, | |
50 | + [IFLA_VF_MAC] = { .len = sizeof(struct ifla_vf_mac) }, | |
51 | + [IFLA_VF_VLAN] = { .len = sizeof(struct ifla_vf_vlan) }, | |
52 | + [IFLA_VF_TX_RATE] = { .len = sizeof(struct ifla_vf_tx_rate) }, | |
53 | + [IFLA_VF_SPOOFCHK] = { .len = sizeof(struct ifla_vf_spoofchk) }, | |
54 | + [IFLA_VF_RATE] = { .len = sizeof(struct ifla_vf_rate) }, | |
55 | + [IFLA_VF_LINK_STATE] = { .len = sizeof(struct ifla_vf_link_state) }, | |
56 | }; | |
57 | ||
58 | static const struct nla_policy ifla_port_policy[IFLA_PORT_MAX+1] = { |