Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 76936ddb authored by David Ahern's avatar David Ahern Committed by Greg Kroah-Hartman
Browse files

lwtunnel: Validate RTA_ENCAP_TYPE attribute length 



commit 8bda81a4d400cf8a72e554012f0d8c45e07a3904 upstream.

lwtunnel_valid_encap_type_attr is used to validate encap attributes
within a multipath route. Add length validation checking to the type.

lwtunnel_valid_encap_type_attr is called converting attributes to
fib{6,}_config struct which means it is used before fib_get_nhs,
ip6_route_multipath_add, and ip6_route_multipath_del - other
locations that use rtnh_ok and then nla_get_u16 on RTA_ENCAP_TYPE
attribute.

Fixes: 9ed59592 ("lwtunnel: fix autoload of lwt modules")

Signed-off-by: default avatarDavid Ahern <dsahern@kernel.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 2ebd7775

net/core/lwtunnel.c

+4 −0
Original line number Diff line number Diff line
@@ -190,6 +190,10 @@ int lwtunnel_valid_encap_type_attr(struct nlattr *attr, int remaining, 
			nla_entype = nla_find(attrs, attrlen, RTA_ENCAP_TYPE);



			if (nla_entype) {

				if (nla_len(nla_entype) < sizeof(u16)) {

					NL_SET_ERR_MSG(extack, "Invalid RTA_ENCAP_TYPE");

					return -EINVAL;

				}

				encap_type = nla_get_u16(nla_entype);



				if (lwtunnel_valid_encap_type(encap_type,

net/ipv4/fib_semantics.c

+3 −0
Original line number Diff line number Diff line
@@ -732,6 +732,9 @@ static int fib_get_nhs(struct fib_info *fi, struct rtnexthop *rtnh, 
			}



			fib_cfg.fc_encap = nla_find(attrs, attrlen, RTA_ENCAP);

			/* RTA_ENCAP_TYPE length checked in

			 * lwtunnel_valid_encap_type_attr

			 */

			nla = nla_find(attrs, attrlen, RTA_ENCAP_TYPE);

			if (nla)

				fib_cfg.fc_encap_type = nla_get_u16(nla);

net/ipv6/route.c

+4 −0
Original line number Diff line number Diff line
@@ -5156,6 +5156,10 @@ static int ip6_route_multipath_add(struct fib6_config *cfg, 
				r_cfg.fc_flags |= RTF_GATEWAY;

			}

			r_cfg.fc_encap = nla_find(attrs, attrlen, RTA_ENCAP);



			/* RTA_ENCAP_TYPE length checked in

			 * lwtunnel_valid_encap_type_attr

			 */

			nla = nla_find(attrs, attrlen, RTA_ENCAP_TYPE);

			if (nla)

				r_cfg.fc_encap_type = nla_get_u16(nla);