From: Robert Shearman <rshearma@brocade.com>
To: <ebiederm@xmission.com>, <roopa@cumulusnetworks.com>
Cc: <davem@davemloft.net>, <netdev@vger.kernel.org>,
<sam.h.russell@gmail.com>, Robert Shearman <rshearma@brocade.com>
Subject: [PATCH net 1/4] mpls: validate L2 via address length
Date: Thu, 10 Dec 2015 19:30:48 +0000 [thread overview]
Message-ID: <1449775851-20758-2-git-send-email-rshearma@brocade.com> (raw)
In-Reply-To: <1449775851-20758-1-git-send-email-rshearma@brocade.com>
If an L2 via address for an mpls nexthop is specified, the length of
the L2 address must match that expected by the output device,
otherwise it could access memory beyond the end of the via address
buffer in the route.
This check was present prior to commit f8efb73c97e2 ("mpls: multipath
route support"), but got lost in the refactoring, so add it back,
applying it to all nexthops in multipath routes.
Fixes: f8efb73c97e2 ("mpls: multipath route support")
Signed-off-by: Robert Shearman <rshearma@brocade.com>
---
net/mpls/af_mpls.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
index c70d750148b6..3be29cb1f658 100644
--- a/net/mpls/af_mpls.c
+++ b/net/mpls/af_mpls.c
@@ -534,6 +534,10 @@ static int mpls_nh_assign_dev(struct net *net, struct mpls_route *rt,
if (!mpls_dev_get(dev))
goto errout;
+ if ((nh->nh_via_table == NEIGH_LINK_TABLE) &&
+ (dev->addr_len != nh->nh_via_alen))
+ goto errout;
+
RCU_INIT_POINTER(nh->nh_dev, dev);
return 0;
--
2.1.4
next prev parent reply other threads:[~2015-12-10 19:31 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-10 19:30 [PATCH net 0/4] mpls: fixes for nexthops without via addresses Robert Shearman
2015-12-10 19:30 ` Robert Shearman [this message]
2015-12-11 22:51 ` [PATCH net 1/4] mpls: validate L2 via address length roopa
2015-12-12 0:08 ` roopa
2015-12-10 19:30 ` [PATCH net 2/4] mpls: don't dump RTA_VIA attribute if not specified Robert Shearman
2015-12-10 19:30 ` [PATCH net 3/4] mpls: fix out-of-bounds access when via address " Robert Shearman
2015-12-10 19:30 ` [PATCH net 4/4] mpls: make via address optional for multipath routes Robert Shearman
2015-12-12 5:44 ` [PATCH net 0/4] mpls: fixes for nexthops without via addresses David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1449775851-20758-2-git-send-email-rshearma@brocade.com \
--to=rshearma@brocade.com \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=netdev@vger.kernel.org \
--cc=roopa@cumulusnetworks.com \
--cc=sam.h.russell@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).