htb: fix sign extension bug
authorstephen hemminger <stephen@networkplumber.org>
Fri, 2 Aug 2013 05:32:07 +0000 (22:32 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 14 Sep 2013 13:54:54 +0000 (06:54 -0700)
[ Upstream commit cbd375567f7e4811b1c721f75ec519828ac6583f ]

When userspace passes a large priority value
the assignment of the unsigned value hopt->prio
to  signed int cl->prio causes cl->prio to become negative and the
comparison is with TC_HTB_NUMPRIO is always false.

The result is that HTB crashes by referencing outside
the array when processing packets. With this patch the large value
wraps around like other values outside the normal range.

See: https://bugzilla.kernel.org/show_bug.cgi?id=60669

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
net/sched/sch_htb.c

index adaedd79389ccd0775a824c9e3c61aef2ea5355e..5c9f0b7b21097fe08bf62150b6349f17fd16e7c7 100644 (file)
@@ -87,7 +87,7 @@ struct htb_class {
        unsigned int children;
        struct htb_class *parent;       /* parent class */
 
-       int prio;               /* these two are used only by leaves... */
+       u32 prio;               /* these two are used only by leaves... */
        int quantum;            /* but stored for parent-to-leaf return */
 
        union {