[PATCH net 5/5] lwtunnel: Validate RTA_ENCAP_TYPE attribute length

All of lore.kernel.org
 help / color / mirror / Atom feed

From: David Ahern <dsahern@kernel.org>
To: netdev@vger.kernel.org
Cc: idosch@idosch.org, David Ahern <dsahern@kernel.org>
Subject: [PATCH net 5/5] lwtunnel: Validate RTA_ENCAP_TYPE attribute length
Date: Thu, 30 Dec 2021 17:36:35 -0700	[thread overview]
Message-ID: <20211231003635.91219-6-dsahern@kernel.org> (raw)
In-Reply-To: <20211231003635.91219-1-dsahern@kernel.org>

lwtunnel_valid_encap_type_attr is used to validate encap attributes
within a multipath route. Add length validation checking to the type.

lwtunnel_valid_encap_type_attr is called converting attributes to
fib{6,}_config struct which means it is used before fib_get_nhs,
ip6_route_multipath_add, and ip6_route_multipath_del - other
locations that use rtnh_ok and then nla_get_u16 on RTA_ENCAP_TYPE
attribute.

Fixes: 9ed59592e3e3 ("lwtunnel: fix autoload of lwt modules")

Signed-off-by: David Ahern <dsahern@kernel.org>
---
 net/core/lwtunnel.c      | 4 ++++
 net/ipv4/fib_semantics.c | 3 +++
 net/ipv6/route.c         | 4 ++++
 3 files changed, 11 insertions(+)

diff --git a/net/core/lwtunnel.c b/net/core/lwtunnel.c
index 2820aca2173a..9ccd64e8a666 100644
--- a/net/core/lwtunnel.c
+++ b/net/core/lwtunnel.c
@@ -197,6 +197,10 @@ int lwtunnel_valid_encap_type_attr(struct nlattr *attr, int remaining,
 			nla_entype = nla_find(attrs, attrlen, RTA_ENCAP_TYPE);
 
 			if (nla_entype) {
+				if (nla_len(nla_entype) < sizeof(u16)) {
+					NL_SET_ERR_MSG(extack, "Invalid RTA_ENCAP_TYPE");
+					return -EINVAL;
+				}
 				encap_type = nla_get_u16(nla_entype);
 
 				if (lwtunnel_valid_encap_type(encap_type,
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index 36bc429f1635..92c29ab3d042 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -740,6 +740,9 @@ static int fib_get_nhs(struct fib_info *fi, struct rtnexthop *rtnh,
 			}
 
 			fib_cfg.fc_encap = nla_find(attrs, attrlen, RTA_ENCAP);
+			/* RTA_ENCAP_TYPE length checked in
+			 * lwtunnel_valid_encap_type_attr
+			 */
 			nla = nla_find(attrs, attrlen, RTA_ENCAP_TYPE);
 			if (nla)
 				fib_cfg.fc_encap_type = nla_get_u16(nla);
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index b311c0bc9983..d2ff8a7e1709 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -5287,6 +5287,10 @@ static int ip6_route_multipath_add(struct fib6_config *cfg,
 				r_cfg.fc_flags |= RTF_GATEWAY;
 			}
 			r_cfg.fc_encap = nla_find(attrs, attrlen, RTA_ENCAP);
+
+			/* RTA_ENCAP_TYPE length checked in
+			 * lwtunnel_valid_encap_type_attr
+			 */
 			nla = nla_find(attrs, attrlen, RTA_ENCAP_TYPE);
 			if (nla)
 				r_cfg.fc_encap_type = nla_get_u16(nla);
-- 
2.24.3 (Apple Git-128)

next prev parent reply	other threads:[~2021-12-31  0:36 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-12-31  0:36 [PATCH net 0/5] net: Length checks for attributes within multipath routes David Ahern
2021-12-31  0:36 ` [PATCH net 1/5] ipv4: Check attribute length for RTA_GATEWAY in multipath route David Ahern
2021-12-31  0:36 ` [PATCH net 2/5] ipv4: Check attribute length for RTA_FLOW " David Ahern
2021-12-31  0:36 ` [PATCH net 3/5] ipv6: Check attribute length for RTA_GATEWAY " David Ahern
2021-12-31 15:30   ` Nicolas Dichtel
2022-01-02 16:45     ` David Ahern
2021-12-31  0:36 ` [PATCH net 4/5] ipv6: Check attribute length for RTA_GATEWAY when deleting " David Ahern
2021-12-31 15:51   ` Nicolas Dichtel
2021-12-31  0:36 ` David Ahern [this message]
2021-12-31 14:40 ` [PATCH net 0/5] net: Length checks for attributes within multipath routes patchwork-bot+netdevbpf

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:2820aca2173 dfblob:9ccd64e8a66 dfblob:36bc429f163
dfblob:92c29ab3d04 dfblob:b311c0bc998 dfblob:d2ff8a7e170 )
 OR (
bs:"[PATCH net 5/5] lwtunnel: Validate RTA_ENCAP_TYPE attribute length" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211231003635.91219-6-dsahern@kernel.org \
    --to=dsahern@kernel.org \
    --cc=idosch@idosch.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.