htb: fix sign extension bug
authorstephen hemminger <stephen@networkplumber.org>
Fri, 2 Aug 2013 05:32:07 +0000 (22:32 -0700)
committerDavid S. Miller <davem@davemloft.net>
Fri, 2 Aug 2013 21:52:20 +0000 (14:52 -0700)
When userspace passes a large priority value
the assignment of the unsigned value hopt->prio
to  signed int cl->prio causes cl->prio to become negative and the
comparison is with TC_HTB_NUMPRIO is always false.

The result is that HTB crashes by referencing outside
the array when processing packets. With this patch the large value
wraps around like other values outside the normal range.

See: https://bugzilla.kernel.org/show_bug.cgi?id=60669

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sched/sch_htb.c

index c2124ea29f4594304c3b7ecb02af411ed62fbebe..45e751527dfcc57ed533c4b259bbf5c56e093cfc 100644 (file)
@@ -100,7 +100,7 @@ struct htb_class {
        struct psched_ratecfg   ceil;
        s64                     buffer, cbuffer;/* token bucket depth/rate */
        s64                     mbuffer;        /* max wait time */
-       int                     prio;           /* these two are used only by leaves... */
+       u32                     prio;           /* these two are used only by leaves... */
        int                     quantum;        /* but stored for parent-to-leaf return */
 
        struct tcf_proto        *filter_list;   /* class attached filters */