From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stephen Hemminger Subject: Re: [iproute PATCH v2] ip-route: Fix segfault with many nexthops Date: Mon, 10 Sep 2018 12:17:07 -0700 Message-ID: <20180910121707.419b04bc@shemminger-XPS-13-9360> References: <20180906133151.21753-1-phil@nwl.cc> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org To: Phil Sutter Return-path: Received: from mail-pg1-f193.google.com ([209.85.215.193]:33640 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727877AbeIKAMm (ORCPT ); Mon, 10 Sep 2018 20:12:42 -0400 Received: by mail-pg1-f193.google.com with SMTP id s7-v6so10968511pgc.0 for ; Mon, 10 Sep 2018 12:17:09 -0700 (PDT) In-Reply-To: <20180906133151.21753-1-phil@nwl.cc> Sender: netdev-owner@vger.kernel.org List-ID: On Thu, 6 Sep 2018 15:31:51 +0200 Phil Sutter wrote: > It was possible to crash ip-route by adding an IPv6 route with 37 > nexthop statements. A simple reproducer is: > > | for i in `seq 37`; do > | nhs="nexthop via 1111::$i "$nhs > | done > | ip -6 route add 3333::/64 $nhs > > The related code was broken in multiple ways: > > * parse_one_nh() assumed that rta points to 4kB of storage but caller > provided just 1kB. Fixed by passing 'len' parameter with the correct > value. > > * Error checking of rta_addattr*() calls in parse_one_nh() and called > functions was completely absent, so with above fix in place output > flood would occur due to parser looping forever. > > While being at it, increase message buffer sizes to 4k. This allows for > at most 144 nexthops. > > Signed-off-by: Phil Sutter Thanks for fixing this. Shows where more test cases are needed.