From mboxrd@z Thu Jan  1 00:00:00 1970
From: Phil Sutter <phil@nwl.cc>
Subject: [iproute PATCH] ip-route: Fix nexthop encap parsing
Date: Tue, 13 Nov 2018 13:39:04 +0100
Message-ID: <20181113123904.27880-1-phil@nwl.cc>
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Cc: netdev@vger.kernel.org
To: Stephen Hemminger <stephen@networkplumber.org>
Return-path: <netdev-owner@vger.kernel.org>
Received: from orbyte.nwl.cc ([151.80.46.58]:42598 "EHLO orbyte.nwl.cc"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1732895AbeKMWhN (ORCPT <rfc822;netdev@vger.kernel.org>);
        Tue, 13 Nov 2018 17:37:13 -0500
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

When parsing nexthop parameters, a buffer of 4k bytes is provided. Yet,
in lwt_parse_encap() and some functions called by it, buffer size was
assumed to be 1k despite the actual size was provided. This led to
spurious buffer size errors if the buffer was filled by previous nexthop
parameters to exceed that 1k boundary.

Fixes: 1e5293056a02c ("lwtunnel: Add encapsulation support to ip route")
Fixes: 5866bddd9aa9e ("ila: Add support for ILA lwtunnels")
Fixes: ed67f83806538 ("ila: Support for checksum neutral translation")
Fixes: 86905c8f057c0 ("ila: support for configuring identifier and hook types")
Fixes: b15f440e78373 ("lwt: BPF support for LWT")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 ip/iproute_lwtunnel.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/ip/iproute_lwtunnel.c b/ip/iproute_lwtunnel.c
index 8f49701509d20..85ab13cb31746 100644
--- a/ip/iproute_lwtunnel.c
+++ b/ip/iproute_lwtunnel.c
@@ -860,7 +860,7 @@ static int parse_encap_ila(struct rtattr *rta, size_t len,
 
 	argc--; argv++;
 
-	if (rta_addattr64(rta, 1024, ILA_ATTR_LOCATOR, locator))
+	if (rta_addattr64(rta, len, ILA_ATTR_LOCATOR, locator))
 		return -1;
 
 	while (argc > 0) {
@@ -874,7 +874,7 @@ static int parse_encap_ila(struct rtattr *rta, size_t len,
 				invarg("\"csum-mode\" value is invalid\n",
 				       *argv);
 
-			ret = rta_addattr8(rta, 1024, ILA_ATTR_CSUM_MODE,
+			ret = rta_addattr8(rta, len, ILA_ATTR_CSUM_MODE,
 					   (__u8)csum_mode);
 
 			argc--; argv++;
@@ -888,7 +888,7 @@ static int parse_encap_ila(struct rtattr *rta, size_t len,
 				invarg("\"ident-type\" value is invalid\n",
 				       *argv);
 
-			ret = rta_addattr8(rta, 1024, ILA_ATTR_IDENT_TYPE,
+			ret = rta_addattr8(rta, len, ILA_ATTR_IDENT_TYPE,
 					   (__u8)ident_type);
 
 			argc--; argv++;
@@ -902,7 +902,7 @@ static int parse_encap_ila(struct rtattr *rta, size_t len,
 				invarg("\"hook-type\" value is invalid\n",
 				       *argv);
 
-			ret = rta_addattr8(rta, 1024, ILA_ATTR_HOOK_TYPE,
+			ret = rta_addattr8(rta, len, ILA_ATTR_HOOK_TYPE,
 					   (__u8)hook_type);
 
 			argc--; argv++;
@@ -1034,7 +1034,7 @@ static int parse_encap_bpf(struct rtattr *rta, size_t len, int *argcp,
 			if (get_unsigned(&headroom, *argv, 0) || headroom == 0)
 				invarg("headroom is invalid\n", *argv);
 			if (!headroom_set)
-				rta_addattr32(rta, 1024, LWT_BPF_XMIT_HEADROOM,
+				rta_addattr32(rta, len, LWT_BPF_XMIT_HEADROOM,
 					      headroom);
 			headroom_set = 1;
 		} else if (strcmp(*argv, "help") == 0) {
@@ -1075,7 +1075,7 @@ int lwt_parse_encap(struct rtattr *rta, size_t len, int *argcp, char ***argvp)
 		exit(-1);
 	}
 
-	nest = rta_nest(rta, 1024, RTA_ENCAP);
+	nest = rta_nest(rta, len, RTA_ENCAP);
 	switch (type) {
 	case LWTUNNEL_ENCAP_MPLS:
 		ret = parse_encap_mpls(rta, len, &argc, &argv);
@@ -1108,7 +1108,7 @@ int lwt_parse_encap(struct rtattr *rta, size_t len, int *argcp, char ***argvp)
 
 	rta_nest_end(rta, nest);
 
-	ret = rta_addattr16(rta, 1024, RTA_ENCAP_TYPE, type);
+	ret = rta_addattr16(rta, len, RTA_ENCAP_TYPE, type);
 
 	*argcp = argc;
 	*argvp = argv;
-- 
2.19.0