From: Jamal Hadi Salim <jhs@mojatatu.com>
Date: Sun, 1 Jan 2023 21:57:43 +0000 (-0500)
Subject: net: sched: atm: dont intepret cls results when asked to drop
X-Git-Tag: archive/raspbian/5.10.162-1+rpi1^2~16
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=180b889f20ebf952cc9e6a61b11b245dbe507606;p=linux.git

net: sched: atm: dont intepret cls results when asked to drop

Origin: https://git.kernel.org/linus/a2965c7be0522eaa18808684b7b82b248515511b
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-23455

If asked to drop a packet via TC_ACT_SHOT it is unsafe to assume
res.class contains a valid pointer
Fixes: b0188d4dbe5f ("[NET_SCHED]: sch_atm: Lindent")

Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name net-sched-atm-dont-intepret-cls-results-when-asked-t.patch
---

diff --git a/net/sched/sch_atm.c b/net/sched/sch_atm.c
index 794c7377cd7..95967ce1f37 100644
--- a/net/sched/sch_atm.c
+++ b/net/sched/sch_atm.c
@@ -396,10 +396,13 @@ static int atm_tc_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 				result = tcf_classify(skb, fl, &res, true);
 				if (result < 0)
 					continue;
+				if (result == TC_ACT_SHOT)
+					goto done;
+
 				flow = (struct atm_flow_data *)res.class;
 				if (!flow)
 					flow = lookup_flow(sch, res.classid);
-				goto done;
+				goto drop;
 			}
 		}
 		flow = NULL;