ipv4: Check attribute length for RTA_FLOW in multipath route (34224e93) · Commits · e / devices / android_kernel_fairphone_FP5

net/ipv4/fib_semantics.c

+14 −3

Original line number	Diff line number	Diff line
		@@ -723,8 +723,13 @@ static int fib_get_nhs(struct fib_info fi, struct rtnexthop rtnh,
		}

		nla = nla_find(attrs, attrlen, RTA_FLOW);
		if (nla)
		if (nla) {
		if (nla_len(nla) < sizeof(u32)) {
		NL_SET_ERR_MSG(extack, "Invalid RTA_FLOW");
		return -EINVAL;
		}
		fib_cfg.fc_flow = nla_get_u32(nla);
		}

		fib_cfg.fc_encap = nla_find(attrs, attrlen, RTA_ENCAP);
		nla = nla_find(attrs, attrlen, RTA_ENCAP_TYPE);
		@@ -955,8 +960,14 @@ int fib_nh_match(struct fib_config cfg, struct fib_info fi,

		#ifdef CONFIG_IP_ROUTE_CLASSID
		nla = nla_find(attrs, attrlen, RTA_FLOW);
		if (nla && nla_get_u32(nla) != nh->nh_tclassid)
		if (nla) {
		if (nla_len(nla) < sizeof(u32)) {
		NL_SET_ERR_MSG(extack, "Invalid RTA_FLOW");
		return -EINVAL;
		}
		if (nla_get_u32(nla) != nh->nh_tclassid)
		return 1;
		}
		#endif
		}