From: David Ahern <dsahern@kernel.org>
To: kuba@kernel.org, davem@davemloft.net, pabeni@redhat.com
Cc: netdev@vger.kernel.org, idosch@idosch.org,
David Ahern <dsahern@kernel.org>,
Gwangun Jung <exsociety@gmail.com>
Subject: [PATCH net] ipv4: Handle attempt to delete multipath route when fib_info contains an nh reference
Date: Wed, 5 Oct 2022 12:12:57 -0600 [thread overview]
Message-ID: <20221005181257.8897-1-dsahern@kernel.org> (raw)
Gwangun Jung reported a slab-out-of-bounds access in fib_nh_match:
fib_nh_match+0xf98/0x1130 linux-6.0-rc7/net/ipv4/fib_semantics.c:961
fib_table_delete+0x5f3/0xa40 linux-6.0-rc7/net/ipv4/fib_trie.c:1753
inet_rtm_delroute+0x2b3/0x380 linux-6.0-rc7/net/ipv4/fib_frontend.c:874
Separate nexthop objects are mutually exclusive with the legacy
multipath spec. Fix fib_nh_match to return if the config for the
to be deleted route contains a multipath spec while the fib_info
is using a nexthop object.
Fixes: 493ced1ac47c ("ipv4: Allow routes to use nexthop objects")
Reported-by: Gwangun Jung <exsociety@gmail.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
---
net/ipv4/fib_semantics.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index 2dc97583d279..17caa73f57e6 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -926,6 +926,10 @@ int fib_nh_match(struct net *net, struct fib_config *cfg, struct fib_info *fi,
if (!cfg->fc_mp)
return 0;
+ /* multipath spec and nexthop id are mutually exclusive */
+ if (fi->nh)
+ return 1;
+
rtnh = cfg->fc_mp;
remaining = cfg->fc_mp_len;
--
2.25.1
next reply other threads:[~2022-10-05 18:13 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-05 18:12 David Ahern [this message]
2022-10-05 19:08 ` [PATCH net] ipv4: Handle attempt to delete multipath route when fib_info contains an nh reference Ido Schimmel
2022-10-05 19:27 ` David Ahern
2022-10-06 6:49 ` Ido Schimmel
2022-10-06 7:29 ` Paolo Abeni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221005181257.8897-1-dsahern@kernel.org \
--to=dsahern@kernel.org \
--cc=davem@davemloft.net \
--cc=exsociety@gmail.com \
--cc=idosch@idosch.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.