summaryrefslogtreecommitdiff
path: root/ipc
diff options
context:
space:
mode:
authorRobert Shearman <rshearma@brocade.com>2015-12-10 22:30:50 +0300
committerDavid S. Miller <davem@davemloft.net>2015-12-12 08:43:44 +0300
commiteb7809f093b109a7db7454dc775423675d075653 (patch)
treeca897a9f8aaab617628ab70e887a02b8432e42bf /ipc
parent72dcac96c7f8320caf80dfaa559331174060a1ce (diff)
downloadlinux-eb7809f093b109a7db7454dc775423675d075653.tar.xz
mpls: fix out-of-bounds access when via address not specified
When a via address isn't specified, the via table is left initialised to 0 (NEIGH_ARP_TABLE), and the via address length also left initialised to 0. This results in a via address array of length 0 being allocated (contiguous with route and nexthop array), meaning that when a packet is sent using neigh_xmit the neighbour lookup and creation will cause an out-of-bounds access when accessing the 4 bytes of the IPv4 address it assumes it has been given a pointer to. This could be fixed by allocating the 4 bytes of via address necessary and leaving it as all zeroes. However, it seems wrong to me to use an ipv4 nexthop (including possibly ARPing for 0.0.0.0) when the user didn't specify to do so. Instead, set the via address table to NEIGH_NR_TABLES to signify it hasn't been specified and use this at forwarding time to signify a neigh_xmit using an L2 address consisting of the device address. This mechanism is the same as that used for both ARP and ND for loopback interfaces and those flagged as no-arp, which are all we can really support in this case. Fixes: cf4b24f0024f ("mpls: reduce memory usage of routes") Signed-off-by: Robert Shearman <rshearma@brocade.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'ipc')
0 files changed, 0 insertions, 0 deletions