From: Julian Anastasov <ja@ssi.bg>
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org, Vegard Nossum <vegard.nossum@oracle.com>,
Andy Gospodarek <gospo@cumulusnetworks.com>,
Dinesh Dutt <ddutt@cumulusnetworks.com>,
Scott Feldman <sfeldma@gmail.com>
Subject: [PATCH net] ipv4: reject RTNH_F_LINKDOWN for incompatible routes
Date: Sat, 9 Jul 2016 12:00:15 +0300 [thread overview]
Message-ID: <1468054815-24766-1-git-send-email-ja@ssi.bg> (raw)
Vegard Nossum is reporting for a crash in fib_dump_info (fib_nhs==1)
when nh_dev = NULL. Problem happens when RTNH_F_LINKDOWN is
provided from user space for routes that do not use the flag,
catched with netlink fuzzer.
RTNH_F_LINKDOWN should be used only for link routes, not for
local routes or for routes with error code. Do not complicate
fast path with more checks, reject the flag early when configured
for incompatible routes.
Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
Fixes: 0eeb075fad73 ("net: ipv4 sysctl option to ignore routes when nexthop link is down")
Tested-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Cc: Andy Gospodarek <gospo@cumulusnetworks.com>
Cc: Dinesh Dutt <ddutt@cumulusnetworks.com>
Cc: Scott Feldman <sfeldma@gmail.com>
---
net/ipv4/fib_semantics.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
Note: works for all kernels: net, net-next, 4.4.14, 4.5.7, 4.6.3
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index d09173b..b642479 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -1113,7 +1113,8 @@ struct fib_info *fib_create_info(struct fib_config *cfg)
}
if (fib_props[cfg->fc_type].error) {
- if (cfg->fc_gw || cfg->fc_oif || cfg->fc_mp)
+ if (cfg->fc_gw || cfg->fc_oif || cfg->fc_mp ||
+ (fi->fib_nh->nh_flags & RTNH_F_LINKDOWN))
goto err_inval;
goto link_it;
} else {
@@ -1136,7 +1137,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg)
struct fib_nh *nh = fi->fib_nh;
/* Local address is added. */
- if (nhs != 1 || nh->nh_gw)
+ if (nhs != 1 || nh->nh_gw || (nh->nh_flags & RTNH_F_LINKDOWN))
goto err_inval;
nh->nh_scope = RT_SCOPE_NOWHERE;
nh->nh_dev = dev_get_by_index(net, fi->fib_nh->nh_oif);
--
1.9.3
next reply other threads:[~2016-07-09 9:01 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-09 9:00 Julian Anastasov [this message]
2016-07-09 17:23 ` [PATCH net] ipv4: reject RTNH_F_LINKDOWN for incompatible routes Andy Gospodarek
2016-07-09 19:10 ` Vegard Nossum
2016-07-09 20:11 ` Julian Anastasov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1468054815-24766-1-git-send-email-ja@ssi.bg \
--to=ja@ssi.bg \
--cc=davem@davemloft.net \
--cc=ddutt@cumulusnetworks.com \
--cc=gospo@cumulusnetworks.com \
--cc=netdev@vger.kernel.org \
--cc=sfeldma@gmail.com \
--cc=vegard.nossum@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox