mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-30 14:19:16 +00:00
sch_sfq: validate silly quantum values
[ Upstream commitdf4953e4e9
] syzbot managed to set up sfq so that q->scaled_quantum was zero, triggering an infinite loop in sfq_dequeue() More generally, we must only accept quantum between 1 and 2^18 - 7, meaning scaled_quantum must be in [1, 0x7FFF] range. Otherwise, we also could have a loop in sfq_dequeue() if scaled_quantum happens to be 0x8000, since slot->allot could indefinitely switch between 0 and 0x8000. Fixes:eeaeb068f1
("sch_sfq: allow big packets and be fair") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot+0251e883fe39e7a0cb0a@syzkaller.appspotmail.com Cc: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
9a67503a5a
commit
cdacfbb66f
1 changed files with 9 additions and 0 deletions
|
@ -641,6 +641,15 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt)
|
|||
if (ctl->divisor &&
|
||||
(!is_power_of_2(ctl->divisor) || ctl->divisor > 65536))
|
||||
return -EINVAL;
|
||||
|
||||
/* slot->allot is a short, make sure quantum is not too big. */
|
||||
if (ctl->quantum) {
|
||||
unsigned int scaled = SFQ_ALLOT_SIZE(ctl->quantum);
|
||||
|
||||
if (scaled <= 0 || scaled > SHRT_MAX)
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max,
|
||||
ctl_v1->Wlog))
|
||||
return -EINVAL;
|
||||
|
|
Loading…
Reference in a new issue