diff options
| author | David Ahern <dsahern@kernel.org> | 2021-12-31 03:36:35 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2022-01-11 17:23:32 +0300 |
| commit | 76936ddb4913a39a9a380e191493aec145c6bc7f (patch) | |
| tree | 77fa21ec218d6b45cbc6ff767913cbd275846757 | |
| parent | 2ebd777513d9d2115b68c97869c018c1ddcddc66 (diff) | |
| download | linux-76936ddb4913a39a9a380e191493aec145c6bc7f.tar.xz | |
lwtunnel: Validate RTA_ENCAP_TYPE attribute length
commit 8bda81a4d400cf8a72e554012f0d8c45e07a3904 upstream.
lwtunnel_valid_encap_type_attr is used to validate encap attributes
within a multipath route. Add length validation checking to the type.
lwtunnel_valid_encap_type_attr is called converting attributes to
fib{6,}_config struct which means it is used before fib_get_nhs,
ip6_route_multipath_add, and ip6_route_multipath_del - other
locations that use rtnh_ok and then nla_get_u16 on RTA_ENCAP_TYPE
attribute.
Fixes: 9ed59592e3e3 ("lwtunnel: fix autoload of lwt modules")
Signed-off-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | net/core/lwtunnel.c | 4 | ||||
| -rw-r--r-- | net/ipv4/fib_semantics.c | 3 | ||||
| -rw-r--r-- | net/ipv6/route.c | 4 |
3 files changed, 11 insertions, 0 deletions
diff --git a/net/core/lwtunnel.c b/net/core/lwtunnel.c index 2f9c0de533c7..0b64f015b3b0 100644 --- a/net/core/lwtunnel.c +++ b/net/core/lwtunnel.c @@ -190,6 +190,10 @@ int lwtunnel_valid_encap_type_attr(struct nlattr *attr, int remaining, nla_entype = nla_find(attrs, attrlen, RTA_ENCAP_TYPE); if (nla_entype) { + if (nla_len(nla_entype) < sizeof(u16)) { + NL_SET_ERR_MSG(extack, "Invalid RTA_ENCAP_TYPE"); + return -EINVAL; + } encap_type = nla_get_u16(nla_entype); if (lwtunnel_valid_encap_type(encap_type, diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c index c462778cbcce..ce4b28f01148 100644 --- a/net/ipv4/fib_semantics.c +++ b/net/ipv4/fib_semantics.c @@ -732,6 +732,9 @@ static int fib_get_nhs(struct fib_info *fi, struct rtnexthop *rtnh, } fib_cfg.fc_encap = nla_find(attrs, attrlen, RTA_ENCAP); + /* RTA_ENCAP_TYPE length checked in + * lwtunnel_valid_encap_type_attr + */ nla = nla_find(attrs, attrlen, RTA_ENCAP_TYPE); if (nla) fib_cfg.fc_encap_type = nla_get_u16(nla); diff --git a/net/ipv6/route.c b/net/ipv6/route.c index e34cb4db6eb1..53861f9c8ce0 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -5156,6 +5156,10 @@ static int ip6_route_multipath_add(struct fib6_config *cfg, r_cfg.fc_flags |= RTF_GATEWAY; } r_cfg.fc_encap = nla_find(attrs, attrlen, RTA_ENCAP); + + /* RTA_ENCAP_TYPE length checked in + * lwtunnel_valid_encap_type_attr + */ nla = nla_find(attrs, attrlen, RTA_ENCAP_TYPE); if (nla) r_cfg.fc_encap_type = nla_get_u16(nla); |