git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Jakub Kicinski <kuba@kernel.org>
	Sun, 10 May 2026 19:29:02 +0000 (12:29 -0700)
committer	Paolo Abeni <pabeni@redhat.com>
	Tue, 12 May 2026 14:15:00 +0000 (16:15 +0200)
commit	8d5806c600fddb907ebe378f9c366d4b52ac3a39
tree	bcd14a27b4bb8a353790be06da07c43a4fcdf7e2	tree \| snapshot
parent	fbf5df34a4dbcd09d433dd4f0916bf9b2ddb16de	commit \| diff

net: shaper: reject handle IDs exceeding internal bit-width

net_shaper_parse_handle() reads the user-supplied handle ID via
nla_get_u32(), accepting the full u32 range. However, the xarray key
is built by net_shaper_handle_to_index() using
FIELD_PREP(NET_SHAPER_ID_MASK, handle->id), where NET_SHAPER_ID_MASK
is GENMASK(25, 0) - only 26 bits wide. FIELD_PREP silently masks off
the upper bits at runtime. A user-supplied NODE id like 0x04000123
becomes id 0x123.

Additionally, a user-supplied id equal to NET_SHAPER_ID_UNSPEC
(0x03FFFFFF, which is NET_SHAPER_ID_MASK itself) would collide with
the sentinel used internally by the group operation to signal
"allocate a new NODE id".

Reject user-supplied IDs >= NET_SHAPER_ID_MASK (i.e., >= 0x03FFFFFF)
in the policy.

Fixes: 4b623f9f0f59 ("net-shapers: implement NL get operation")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Link: https://patch.msgid.link/20260510192904.3987113-9-kuba@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Documentation/netlink/specs/net_shaper.yaml		diff \| blob \| blame \| history
net/shaper/shaper.c		diff \| blob \| blame \| history
net/shaper/shaper_nl_gen.c		diff \| blob \| blame \| history
net/shaper/shaper_nl_gen.h		diff \| blob \| blame \| history