[IPv4] fib: Fix out of bound access of fib_props[]

[IPv4] fib: Fix out of bound access of fib_props[]

[Thomas Graf]

Fixes a typo which caused fib_props[] to have the wrong size
and makes sure the value used to index the array which is
provided by userspace via netlink is checked to avoid out of
bound access.

Signed-off-by: Thomas Graf <tgraf@suug.ch>

Index: net-2.6/net/ipv4/fib_semantics.c
===================================================================
--- net-2.6.orig/net/ipv4/fib_semantics.c	2006-11-29 13:33:05.000000000 +0100
+++ net-2.6/net/ipv4/fib_semantics.c	2006-11-29 13:36:13.000000000 +0100
@@ -89,7 +89,7 @@
 {
 	int	error;
 	u8	scope;
-} fib_props[RTA_MAX + 1] = {
+} fib_props[RTN_MAX + 1] = {
         {
 		.error	= 0,
 		.scope	= RT_SCOPE_NOWHERE,
@@ -658,6 +658,9 @@
 	struct fib_info *ofi;
 	int nhs = 1;
 
+	if (cfg->fc_type > RTN_MAX)
+		goto err_inval;
+
 	/* Fast check to catch the most weird cases */
 	if (fib_props[cfg->fc_type].scope > cfg->fc_scope)
 		goto err_inval;

[IPv4] fib: Fix out of bound access of fib_props[]

[Thomas Graf]

Fixes a typo which caused fib_props[] to have the wrong size
and makes sure the value used to index the array which is
provided by userspace via netlink is checked to avoid out of
bound access.

Signed-off-by: Thomas Graf <tgraf@suug.ch>

Index: net-2.6/net/ipv4/fib_frontend.c
===================================================================
--- net-2.6.orig/net/ipv4/fib_frontend.c	2007-03-24 15:56:17.000000000 +0100
+++ net-2.6/net/ipv4/fib_frontend.c	2007-03-24 15:57:16.000000000 +0100
@@ -493,6 +493,11 @@ static int rtm_to_fib_config(struct sk_b
 	cfg->fc_nlinfo.pid = NETLINK_CB(skb).pid;
 	cfg->fc_nlinfo.nlh = nlh;
 
+	if (cfg->fc_type > RTN_MAX) {
+		err = -EINVAL;
+		goto errout;
+	}
+
 	nlmsg_for_each_attr(attr, nlh, sizeof(struct rtmsg), remaining) {
 		switch (attr->nla_type) {
 		case RTA_DST:
Index: net-2.6/net/ipv4/fib_semantics.c
===================================================================
--- net-2.6.orig/net/ipv4/fib_semantics.c	2007-03-24 15:57:42.000000000 +0100
+++ net-2.6/net/ipv4/fib_semantics.c	2007-03-24 15:58:14.000000000 +0100
@@ -89,7 +89,7 @@ static const struct
 {
 	int	error;
 	u8	scope;
-} fib_props[RTA_MAX + 1] = {
+} fib_props[RTN_MAX + 1] = {
 	{
 		.error	= 0,
 		.scope	= RT_SCOPE_NOWHERE,

Re: [IPv4] fib: Fix out of bound access of fib_props[]

[David Miller]

From: Thomas Graf <tgraf@suug.ch>
Date: Sat, 24 Mar 2007 16:34:36 +0100

> Fixes a typo which caused fib_props[] to have the wrong size
> and makes sure the value used to index the array which is
> provided by userspace via netlink is checked to avoid out of
> bound access.
> 
> Signed-off-by: Thomas Graf <tgraf@suug.ch>

Applied, thanks.

Re: [IPv4] fib: Fix out of bound access of fib_props[]

[Willy Tarreau]

On Sat, Mar 24, 2007 at 08:33:39PM -0700, David Miller wrote:
> From: Thomas Graf <tgraf@suug.ch>
> Date: Sat, 24 Mar 2007 16:34:36 +0100
> 
> > Fixes a typo which caused fib_props[] to have the wrong size
> > and makes sure the value used to index the array which is
> > provided by userspace via netlink is checked to avoid out of
> > bound access.
> > 
> > Signed-off-by: Thomas Graf <tgraf@suug.ch>
> 
> Applied, thanks.

Thomas, David, it seems to me that 2.4 needs the same fix for the
typo, but I see no place where we may add the check for > RTN_MAX.
Maybe this last one is not needed. If someone could enlighten me,
or at least provide a means to test if the bug it present, it would
help me.

Thanks in advance,
Willy

Re: [IPv4] fib: Fix out of bound access of fib_props[]

[Willy Tarreau]

On Sat, Apr 14, 2007 at 04:26:55PM +0200, Willy Tarreau wrote:
> On Sat, Mar 24, 2007 at 08:33:39PM -0700, David Miller wrote:
> > From: Thomas Graf <tgraf@suug.ch>
> > Date: Sat, 24 Mar 2007 16:34:36 +0100
> > 
> > > Fixes a typo which caused fib_props[] to have the wrong size
> > > and makes sure the value used to index the array which is
> > > provided by userspace via netlink is checked to avoid out of
> > > bound access.
> > > 
> > > Signed-off-by: Thomas Graf <tgraf@suug.ch>
> > 
> > Applied, thanks.
> 
> Thomas, David, it seems to me that 2.4 needs the same fix for the
> typo, but I see no place where we may add the check for > RTN_MAX.
> Maybe this last one is not needed. If someone could enlighten me,
> or at least provide a means to test if the bug it present, it would
> help me.

Finally, I think I have the correct fix below. Please someone confirm
or tell me I'm nuts.

Thanks in advance,
Willy


>From 230c62b9e7000cfb407a079a21ad0f077f164b21 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Sat, 14 Apr 2007 17:44:03 +0200
Subject: [IPv4] fib: Fix out of bound access of fib_props[]

Backported from 2.6. Bug found and fixed by Thomas Graf :

Fixes a typo which caused fib_props[] to have the wrong size
and makes sure the value used to index the array which is
provided by userspace via netlink is checked to avoid out of
bound access.
---
 net/ipv4/fib_semantics.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index afdf4bb..b930371 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -83,7 +83,7 @@ static struct
 {
 	int	error;
 	u8	scope;
-} fib_props[RTA_MAX+1] = {
+} fib_props[RTN_MAX+1] = {
         { 0, RT_SCOPE_NOWHERE},		/* RTN_UNSPEC */
 	{ 0, RT_SCOPE_UNIVERSE},	/* RTN_UNICAST */
 	{ 0, RT_SCOPE_HOST},		/* RTN_LOCAL */
@@ -431,6 +431,11 @@ fib_create_info(const struct rtmsg *r, struct kern_rta *rta,
 	const int nhs = 1;
 #endif
 
+	if (r->rtm_type > RTN_MAX) {
+		err = -EINVAL;
+		goto errout;
+	}
+
 	/* Fast check to catch the most weird cases */
 	if (fib_props[r->rtm_type].scope > r->rtm_scope)
 		goto err_inval;
-- 
1.4.4.4

Re: [IPv4] fib: Fix out of bound access of fib_props[]

[Thomas Graf]

* Willy Tarreau <w@1wt.eu> 2007-04-14 17:48
> Finally, I think I have the correct fix below. Please someone confirm
> or tell me I'm nuts.

Looks good, same is needed for DECnet

Re: [IPv4] fib: Fix out of bound access of fib_props[]

[Willy Tarreau]

On Mon, Apr 16, 2007 at 10:14:17AM +0200, Thomas Graf wrote:
> * Willy Tarreau <w@1wt.eu> 2007-04-14 17:48
> > Finally, I think I have the correct fix below. Please someone confirm
> > or tell me I'm nuts.
> 
> Looks good, same is needed for DECnet

Thank you Thomas.
The DECnet stuff was already merged, it was (expectedly) the same code.

Regards,
Willy