Commit d7443185 authored May 05, 2015 by WANG Cong Committed by David S. Miller May 09, 2015

net_sched: fix a use-after-free in tc_ctl_tfilter()



When tcf_destroy() returns true, tp could be already destroyed,
we should not use tp->next after that.

For long term, we probably should move tp list to list_head.

Fixes: 1e052be6 ("net_sched: destroy proto tp when all filters are gone")
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 1006da19

net/sched/cls_api.c

+3 −4

Original line number	Diff line number	Diff line
		@@ -308,13 +308,12 @@ static int tc_ctl_tfilter(struct sk_buff skb, struct nlmsghdr n)
		case RTM_DELTFILTER:
		err = tp->ops->delete(tp, fh);
		if (err == 0) {
		tfilter_notify(net, skb, n, tp, fh, RTM_DELTFILTER);
		if (tcf_destroy(tp, false)) {
		struct tcf_proto *next = rtnl_dereference(tp->next);

		tfilter_notify(net, skb, n, tp, fh, RTM_DELTFILTER);
		if (tcf_destroy(tp, false))
		RCU_INIT_POINTER(*back, next);
		}
		}
		goto errout;
		case RTM_GETTFILTER:
		err = tfilter_notify(net, skb, n, tp, fh, RTM_NEWTFILTER);