From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <toke@redhat.com>
Received: from mail-ed1-f66.google.com (mail-ed1-f66.google.com
 [209.85.208.66])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by lists.bufferbloat.net (Postfix) with ESMTPS id 143C53B29E
 for <cake@lists.bufferbloat.net>; Fri,  5 Apr 2019 06:28:24 -0400 (EDT)
Received: by mail-ed1-f66.google.com with SMTP id s16so5043550edr.3
 for <cake@lists.bufferbloat.net>; Fri, 05 Apr 2019 03:28:24 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:subject:from:to:cc:date:message-id:in-reply-to
 :references:user-agent:mime-version:content-transfer-encoding;
 bh=YyZ1vj/fnhPwHb3MBAP0tcwlWUQ2J8OZxo5Earjct/E=;
 b=Eiy5eROWOhkSU2X0ezCC3Z2/4O2Jfq6qPARnX6QoD2XA3gquWVrPvwxyGLmrI2EoQI
 nmg0U89OiksJFEBHlE1zrIp0Q1MQqFFuWqTydyjyNJVuI+YOMf8EnJ0hnhq0X6opgnXs
 seZwRnNfJBAMF44KdzIYsrgXzp39w2lcq73b1KuRwaH2BIR9oIfIep43WxZykmZUFT1w
 0jDdYpvNY88luYCuQ2TI7MoIOsh8ba922QoFEJ4vX6FjmJKW+PUksErf+0U0rMgXGJrq
 neMyF0h5qyZPFXtbLyHgrJeTkAGFXkNpIY56Fw4rtDEB9ETFCetTCRhR+/BSoami2BVA
 yiqQ==
X-Gm-Message-State: APjAAAXRQe4sXVTB6rSKQWn4lHVX3n3zNHzfDod6wsQlUSU1u2Sd/JH0
 F5z3lDXawDZ+KJs8K1jULdpE9A==
X-Google-Smtp-Source: APXvYqxbDTDnO4XoSZFij0Jw0xBMyihCtrWAGJb3J8y8azb73vgZStVvvwy9k2B7tBFo7eQdvsrVHA==
X-Received: by 2002:a50:e61a:: with SMTP id y26mr7403522edm.157.1554460103240; 
 Fri, 05 Apr 2019 03:28:23 -0700 (PDT)
Received: from alrua-x1.borgediget.toke.dk (borgediget.toke.dk.
 [85.204.121.218])
 by smtp.gmail.com with ESMTPSA id b6sm305201edt.12.2019.04.05.03.28.22
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Fri, 05 Apr 2019 03:28:22 -0700 (PDT)
Received: by alrua-x1.borgediget.toke.dk (Postfix, from userid 1000)
 id 256941804A8; Fri,  5 Apr 2019 12:28:22 +0200 (CEST)
From: Toke =?utf-8?q?H=C3=B8iland-J=C3=B8rgensen?= <toke@redhat.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: David Miller <davem@davemloft.net>, stable@vger.kernel.org,
 cake@lists.bufferbloat.net
Date: Fri, 05 Apr 2019 12:28:22 +0200
Message-ID: <155446010209.1460.7268205536304242746.stgit@alrua-x1>
In-Reply-To: <155446010188.1460.16734711102827171744.stgit@alrua-x1>
References: <155446010188.1460.16734711102827171744.stgit@alrua-x1>
User-Agent: StGit/unknown-version
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Subject: [Cake] [PATCH for-4.19 3/3] sch_cake: Make sure we can write the IP
 header before changing DSCP bits
X-BeenThere: cake@lists.bufferbloat.net
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Cake - FQ_codel the next generation <cake.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cake>,
 <mailto:cake-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cake>
List-Post: <mailto:cake@lists.bufferbloat.net>
List-Help: <mailto:cake-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cake>,
 <mailto:cake-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2019 10:28:24 -0000

Commit bbd669a868bba591ffd38b7bc75a7b361bb54b04 upstream.

There is not actually any guarantee that the IP headers are valid before we
access the DSCP bits of the packets. Fix this using the same approach taken
in sch_dsmark.

Reported-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
---
 net/sched/sch_cake.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
index de92b5d81ca6..9fd37d91b5ed 100644
--- a/net/sched/sch_cake.c
+++ b/net/sched/sch_cake.c
@@ -1510,16 +1510,27 @@ static unsigned int cake_drop(struct Qdisc *sch, struct sk_buff **to_free)
 
 static u8 cake_handle_diffserv(struct sk_buff *skb, u16 wash)
 {
+	int wlen = skb_network_offset(skb);
 	u8 dscp;
 
 	switch (tc_skb_protocol(skb)) {
 	case htons(ETH_P_IP):
+		wlen += sizeof(struct iphdr);
+		if (!pskb_may_pull(skb, wlen) ||
+		    skb_try_make_writable(skb, wlen))
+			return 0;
+
 		dscp = ipv4_get_dsfield(ip_hdr(skb)) >> 2;
 		if (wash && dscp)
 			ipv4_change_dsfield(ip_hdr(skb), INET_ECN_MASK, 0);
 		return dscp;
 
 	case htons(ETH_P_IPV6):
+		wlen += sizeof(struct ipv6hdr);
+		if (!pskb_may_pull(skb, wlen) ||
+		    skb_try_make_writable(skb, wlen))
+			return 0;
+
 		dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> 2;
 		if (wash && dscp)
 			ipv6_change_dsfield(ipv6_hdr(skb), INET_ECN_MASK, 0);