bridge: vlan: Prevent possible use-after-free

When adding a port to a bridge we initialize VLAN filtering on it. We do not bail out in case an error occurred in nbp_vlan_init, as it can be used as a non VLAN filtering bridge. However, if VLAN filtering is required and an error occurred in nbp_vlan_init, we should set vlgrp to NULL, so that VLAN filtering functions (e.g. br_vlan_find, br_get_pvid) will know the struct is invalid and will not try to access it. Signed-off-by: N Ido Schimmel <idosch@mellanox.com> Signed-off-by: N Nikolay Aleksandrov <nikolay@cumulusnetworks.com> Signed-off-by: N David S. Miller <davem@davemloft.net>

bridge: vlan: Prevent possible use-after-free
When adding a port to a bridge we initialize VLAN filtering on it. We do not bail out in case an error occurred in nbp_vlan_init, as it can be used as a non VLAN filtering bridge. However, if VLAN filtering is required and an error occurred in nbp_vlan_init, we should set vlgrp to NULL, so that VLAN filtering functions (e.g. br_vlan_find, br_get_pvid) will know the struct is invalid and will not try to access it. Signed-off-by: N Ido Schimmel <idosch@mellanox.com> Signed-off-by: N Nikolay Aleksandrov <nikolay@cumulusnetworks.com> Signed-off-by: N David S. Miller <davem@davemloft.net>
07bc588f · Ido Schimmel · David S. Miller · ce105008 · 07bc588f
隐藏空白更改
内联并排

Showing with 2 addition and 0 deletion

net/bridge/br_vlan.c net/bridge/br_vlan.c +2 -0

未找到文件。
--- a/net/bridge/br_vlan.c
+++ b/net/bridge/br_vlan.c
@@ -914,6 +914,8 @@ int nbp_vlan_init(struct net_bridge_port *p)
 	return ret;
 err_vlan_add:
+	RCU_INIT_POINTER(p->vlgrp, NULL);
+	synchronize_rcu();
 	rhashtable_destroy(&vg->vlan_hash);
 err_rhtbl:
 	kfree(vg);