[PATCH 5.10 21/43] lwtunnel: Validate RTA_ENCAP_TYPE attribute length

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, David Ahern <dsahern@kernel.org>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.10 21/43] lwtunnel: Validate RTA_ENCAP_TYPE attribute length
Date: Mon, 10 Jan 2022 08:23:18 +0100	[thread overview]
Message-ID: <20220110071818.057582556@linuxfoundation.org> (raw)
In-Reply-To: <20220110071817.337619922@linuxfoundation.org>

From: David Ahern <dsahern@kernel.org>

commit 8bda81a4d400cf8a72e554012f0d8c45e07a3904 upstream.

lwtunnel_valid_encap_type_attr is used to validate encap attributes
within a multipath route. Add length validation checking to the type.

lwtunnel_valid_encap_type_attr is called converting attributes to
fib{6,}_config struct which means it is used before fib_get_nhs,
ip6_route_multipath_add, and ip6_route_multipath_del - other
locations that use rtnh_ok and then nla_get_u16 on RTA_ENCAP_TYPE
attribute.

Fixes: 9ed59592e3e3 ("lwtunnel: fix autoload of lwt modules")

Signed-off-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/lwtunnel.c      |    4 ++++
 net/ipv4/fib_semantics.c |    3 +++
 net/ipv6/route.c         |    4 ++++
 3 files changed, 11 insertions(+)

--- a/net/core/lwtunnel.c
+++ b/net/core/lwtunnel.c
@@ -192,6 +192,10 @@ int lwtunnel_valid_encap_type_attr(struc
 			nla_entype = nla_find(attrs, attrlen, RTA_ENCAP_TYPE);
 
 			if (nla_entype) {
+				if (nla_len(nla_entype) < sizeof(u16)) {
+					NL_SET_ERR_MSG(extack, "Invalid RTA_ENCAP_TYPE");
+					return -EINVAL;
+				}
 				encap_type = nla_get_u16(nla_entype);
 
 				if (lwtunnel_valid_encap_type(encap_type,
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -741,6 +741,9 @@ static int fib_get_nhs(struct fib_info *
 			}
 
 			fib_cfg.fc_encap = nla_find(attrs, attrlen, RTA_ENCAP);
+			/* RTA_ENCAP_TYPE length checked in
+			 * lwtunnel_valid_encap_type_attr
+			 */
 			nla = nla_find(attrs, attrlen, RTA_ENCAP_TYPE);
 			if (nla)
 				fib_cfg.fc_encap_type = nla_get_u16(nla);
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -5176,6 +5176,10 @@ static int ip6_route_multipath_add(struc
 				r_cfg.fc_flags |= RTF_GATEWAY;
 			}
 			r_cfg.fc_encap = nla_find(attrs, attrlen, RTA_ENCAP);
+
+			/* RTA_ENCAP_TYPE length checked in
+			 * lwtunnel_valid_encap_type_attr
+			 */
 			nla = nla_find(attrs, attrlen, RTA_ENCAP_TYPE);
 			if (nla)
 				r_cfg.fc_encap_type = nla_get_u16(nla);

next prev parent reply	other threads:[~2022-01-10  7:38 UTC|newest]

Thread overview: 54+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-10  7:22 [PATCH 5.10 00/43] 5.10.91-rc1 review Greg Kroah-Hartman
2022-01-10  7:22 ` [PATCH 5.10 01/43] f2fs: quota: fix potential deadlock Greg Kroah-Hartman
2022-01-10  7:22 ` [PATCH 5.10 02/43] selftests: x86: fix [-Wstringop-overread] warn in test_process_vm_readv() Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 03/43] tracing: Fix check for trace_percpu_buffer validity in get_trace_buf() Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 04/43] tracing: Tag trace_percpu_buffer as a percpu pointer Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 05/43] ieee802154: atusb: fix uninit value in atusb_set_extended_addr Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 06/43] i40e: Fix to not show opcode msg on unsuccessful VF MAC change Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 07/43] iavf: Fix limit of total number of queues to active queues of VF Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 08/43] RDMA/core: Dont infoleak GRH fields Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 09/43] netrom: fix copying in user data in nr_setsockopt Greg Kroah-Hartman
2022-01-10 10:07   ` Pavel Machek
2022-01-10 10:14     ` Dan Carpenter
2022-01-10  7:23 ` [PATCH 5.10 10/43] RDMA/uverbs: Check for null return of kmalloc_array Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 11/43] mac80211: initialize variable have_higher_than_11mbit Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 12/43] sfc: The RX page_ring is optional Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 13/43] i40e: fix use-after-free in i40e_sync_filters_subtask() Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 14/43] i40e: Fix for displaying message regarding NVM version Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 15/43] i40e: Fix incorrect netdevs real number of RX/TX queues Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 16/43] ftrace/samples: Add missing prototypes direct functions Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 17/43] ipv4: Check attribute length for RTA_GATEWAY in multipath route Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 18/43] ipv4: Check attribute length for RTA_FLOW " Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 19/43] ipv6: Check attribute length for RTA_GATEWAY " Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 20/43] ipv6: Check attribute length for RTA_GATEWAY when deleting " Greg Kroah-Hartman
2022-01-10  7:23 ` Greg Kroah-Hartman [this message]
2022-01-10  7:23 ` [PATCH 5.10 22/43] batman-adv: mcast: dont send link-local multicast to mcast routers Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 23/43] sch_qfq: prevent shift-out-of-bounds in qfq_init_qdisc Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 24/43] net: ena: Fix undefined state when tx request id is out of bounds Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 25/43] net: ena: Fix error handling when calculating max IO queues number Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 26/43] xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like fallocate Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 27/43] power: supply: core: Break capacity loop Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 28/43] power: reset: ltc2952: Fix use of floating point literals Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 29/43] rndis_host: support Hytera digital radios Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 30/43] phonet: refcount leak in pep_sock_accep Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 31/43] power: bq25890: Enable continuous conversion for ADC at charging Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 32/43] ipv6: Continue processing multipath route even if gateway attribute is invalid Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 33/43] ipv6: Do cleanup if attribute validation fails in multipath route Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 34/43] usb: mtu3: fix interval value for intr and isoc Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 35/43] scsi: libiscsi: Fix UAF in iscsi_conn_get_param()/iscsi_conn_teardown() Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 36/43] ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 37/43] net: udp: fix alignment problem in udp4_seq_show() Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 38/43] atlantic: Fix buff_ring OOB in aq_ring_rx_clean Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 39/43] mISDN: change function names to avoid conflicts Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 40/43] drm/amd/display: Added power down for DCN10 Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 41/43] ipv6: raw: check passed optlen before reading Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 42/43] ARM: dts: gpio-ranges property is now required Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.10 43/43] Input: zinitix - make sure the IRQ is allocated before it gets enabled Greg Kroah-Hartman
2022-01-10 11:49 ` [PATCH 5.10 00/43] 5.10.91-rc1 review Jon Hunter
2022-01-10 19:10 ` Fox Chen
2022-01-10 19:50 ` Florian Fainelli
2022-01-10 22:56 ` Shuah Khan
2022-01-10 23:50 ` Guenter Roeck
2022-01-11  3:34 ` Samuel Zou
2022-01-11  5:26 ` Naresh Kamboju
2022-01-11 12:37 ` Sudip Mukherjee

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220110071818.057582556@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=dsahern@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.