net: sched: atm: dont intepret cls results when asked to drop

Origin: https://git.kernel.org/linus/a2965c7be0522eaa18808684b7b82b248515511b
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-23455

If asked to drop a packet via TC_ACT_SHOT it is unsafe to assume
res.class contains a valid pointer
Fixes: b0188d4dbe5f ("[NET_SCHED]: sch_atm: Lindent")
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name net-sched-atm-dont-intepret-cls-results-when-asked-t.patch

diff --git a/net/sched/sch_atm.c b/net/sched/sch_atm.c
index 794c7377cd7e908eba4cb41c4c184ae2c64526a5..95967ce1f370a94288ef37375084854f1c581be0 100644 (file)
--- a/net/sched/sch_atm.c
+++ b/net/sched/sch_atm.c
@@ -396,10 +396,13 @@ static int atm_tc_enqueue(struct sk_buff *skb, struct Qdisc *sch,
                                result = tcf_classify(skb, fl, &res, true);
                                if (result < 0)
                                        continue;
+                               if (result == TC_ACT_SHOT)
+                                       goto done;
+
                                flow = (struct atm_flow_data *)res.class;
                                if (!flow)
                                        flow = lookup_flow(sch, res.classid);
-                               goto done;
+                               goto drop;
                        }
                }
                flow = NULL;