net: cgroup: fix out of bounds accesses dev->priomap is allocated by extend_netdev_table() called from update_netdev_tables(). And this is only called if write_priomap() is called. But if write_priomap() is not called, it seems we can have out of bounds accesses in cgrp_destroy(), read_priomap() & skb_update_prio() With help from Gao Feng Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Neil Horman <nhorman@tuxdriver.com> Cc: Gao feng <gaofeng@cn.fujitsu.com> Acked-by: Gao feng <gaofeng@cn.fujitsu.com> Signed-off-by: David S. Miller <davem@davemloft.net>

commit: 91c68ce2b26319248a32d7baa1226f819d283758 [log] [tgz]
author: Eric Dumazet <edumazet@google.com> Sun Jul 08 21:45:10 2012 +0000
committer: David S. Miller <davem@davemloft.net> Mon Jul 09 14:50:54 2012 -0700
tree: eeeea052a0b13d2f97435fe33caa5139e4729a53
parent: 96ca7ffe748bf91f851e6aa4479aa11c8b1122ba [diff] [blame]
diff --git a/net/core/dev.c b/net/core/dev.c
index 84f01ba..0f28a9e 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c

@@ -2444,8 +2444,12 @@
 {
 	struct netprio_map *map = rcu_dereference_bh(skb->dev->priomap);
 
-	if ((!skb->priority) && (skb->sk) && map)
-		skb->priority = map->priomap[skb->sk->sk_cgrp_prioidx];
+	if (!skb->priority && skb->sk && map) {
+		unsigned int prioidx = skb->sk->sk_cgrp_prioidx;
+
+		if (prioidx < map->priomap_len)
+			skb->priority = map->priomap[prioidx];
+	}
 }
 #else
 #define skb_update_prio(skb)
commit	91c68ce2b26319248a32d7baa1226f819d283758	[log] [tgz]
author	Eric Dumazet <edumazet@google.com>	Sun Jul 08 21:45:10 2012 +0000
committer	David S. Miller <davem@davemloft.net>	Mon Jul 09 14:50:54 2012 -0700
tree	eeeea052a0b13d2f97435fe33caa5139e4729a53
parent	96ca7ffe748bf91f851e6aa4479aa11c8b1122ba [diff] [blame]