From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <toke@redhat.com>
Received: from mail-ed1-f67.google.com (mail-ed1-f67.google.com
 [209.85.208.67])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by lists.bufferbloat.net (Postfix) with ESMTPS id 9D0773B29E
 for <cake@lists.bufferbloat.net>; Thu,  4 Apr 2019 09:01:35 -0400 (EDT)
Received: by mail-ed1-f67.google.com with SMTP id d11so2094575edp.11
 for <cake@lists.bufferbloat.net>; Thu, 04 Apr 2019 06:01:35 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:subject:from:to:cc:date:message-id:in-reply-to
 :references:user-agent:mime-version:content-transfer-encoding;
 bh=Z36BMcmPeL6MTAr6fmch4/sChR1td0bJt2tl7Np10/w=;
 b=cJx7ocH4tky6sOrrHd82v3N4yAKZoLKitpqWSbJs7R3u88+pm/W2Zisv/tol+tWjkg
 wXyQ5d7BMtbraNGTGc8OhZPpuRxpWUkgx044bVhh7bqsiRGWz8sJy3NA0Ev1Hs2PwXGU
 L/gtsqtkb4Q9G76zmv9lecedJEmEi63KeM80aYWziSxtUenmHfFwnn7ZW0Fhx2GA6kDZ
 fSBUURLOzCFMhcaZz1+TK2e+meCVPS9mXzbmqBVTCpE3akafKUUg28CNwIQ1vx62huCY
 k0nnSrgQoKJQ9qKImUuCQQTHSiacOolmxE1HMXKRYjHcqEtY17Fx7HBYUaS5dlWqPmBM
 3GLA==
X-Gm-Message-State: APjAAAWaUrq5JCnYWmm/AuGvkPlXHUjwyFOFzbs2v6MWDZguWZVeWhyR
 vZmcHFmxtmgsgwus3f7kfzeD0w==
X-Google-Smtp-Source: APXvYqzFBnHKj/uUgXXBWaCkgh0HsA4Oit4Sp0fgL+piVkuSkh2jtjCVV+rdJQnGie2w/dy+IXuPIg==
X-Received: by 2002:a50:93a6:: with SMTP id o35mr3785730eda.245.1554382894777; 
 Thu, 04 Apr 2019 06:01:34 -0700 (PDT)
Received: from alrua-x1.borgediget.toke.dk (borgediget.toke.dk.
 [85.204.121.218])
 by smtp.gmail.com with ESMTPSA id c57sm5744538ede.28.2019.04.04.06.01.34
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Thu, 04 Apr 2019 06:01:34 -0700 (PDT)
Received: by alrua-x1.borgediget.toke.dk (Postfix, from userid 1000)
 id C4DE71804A7; Thu,  4 Apr 2019 15:01:33 +0200 (CEST)
From: Toke =?utf-8?q?H=C3=B8iland-J=C3=B8rgensen?= <toke@redhat.com>
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org, cake@lists.bufferbloat.net
Date: Thu, 04 Apr 2019 15:01:33 +0200
Message-ID: <155438289374.18760.4278774647362746152.stgit@alrua-x1>
In-Reply-To: <155438289359.18760.18027832614176337074.stgit@alrua-x1>
References: <155438289359.18760.18027832614176337074.stgit@alrua-x1>
User-Agent: StGit/unknown-version
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Subject: [Cake] [PATCH net 2/2] sch_cake: Make sure we can write the IP
 header before changing DSCP bits
X-BeenThere: cake@lists.bufferbloat.net
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Cake - FQ_codel the next generation <cake.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cake>,
 <mailto:cake-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cake>
List-Post: <mailto:cake@lists.bufferbloat.net>
List-Help: <mailto:cake-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cake>,
 <mailto:cake-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2019 13:01:35 -0000

There is not actually any guarantee that the IP headers are valid before we
access the DSCP bits of the packets. Fix this using the same approach taken
in sch_dsmark.

Reported-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
---
 net/sched/sch_cake.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
index a3b55e18df04..259d97bc2abd 100644
--- a/net/sched/sch_cake.c
+++ b/net/sched/sch_cake.c
@@ -1517,16 +1517,27 @@ static unsigned int cake_drop(struct Qdisc *sch, struct sk_buff **to_free)
 
 static u8 cake_handle_diffserv(struct sk_buff *skb, u16 wash)
 {
+	int wlen = skb_network_offset(skb);
 	u8 dscp;
 
 	switch (tc_skb_protocol(skb)) {
 	case htons(ETH_P_IP):
+		wlen += sizeof(struct iphdr);
+		if (!pskb_may_pull(skb, wlen) ||
+		    skb_try_make_writable(skb, wlen))
+			return 0;
+
 		dscp = ipv4_get_dsfield(ip_hdr(skb)) >> 2;
 		if (wash && dscp)
 			ipv4_change_dsfield(ip_hdr(skb), INET_ECN_MASK, 0);
 		return dscp;
 
 	case htons(ETH_P_IPV6):
+		wlen += sizeof(struct ipv6hdr);
+		if (!pskb_may_pull(skb, wlen) ||
+		    skb_try_make_writable(skb, wlen))
+			return 0;
+
 		dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> 2;
 		if (wash && dscp)
 			ipv6_change_dsfield(ipv6_hdr(skb), INET_ECN_MASK, 0);