[iproute PATCH] ip-route: Fix nexthop encap parsing

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

* [iproute PATCH] ip-route: Fix nexthop encap parsing
@ 2018-11-13 12:39 Phil Sutter
  2018-11-14 19:20 ` Stephen Hemminger
  0 siblings, 1 reply; 2+ messages in thread
From: Phil Sutter @ 2018-11-13 12:39 UTC (permalink / raw)
  To: Stephen Hemminger; +Cc: netdev

When parsing nexthop parameters, a buffer of 4k bytes is provided. Yet,
in lwt_parse_encap() and some functions called by it, buffer size was
assumed to be 1k despite the actual size was provided. This led to
spurious buffer size errors if the buffer was filled by previous nexthop
parameters to exceed that 1k boundary.

Fixes: 1e5293056a02c ("lwtunnel: Add encapsulation support to ip route")
Fixes: 5866bddd9aa9e ("ila: Add support for ILA lwtunnels")
Fixes: ed67f83806538 ("ila: Support for checksum neutral translation")
Fixes: 86905c8f057c0 ("ila: support for configuring identifier and hook types")
Fixes: b15f440e78373 ("lwt: BPF support for LWT")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 ip/iproute_lwtunnel.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/ip/iproute_lwtunnel.c b/ip/iproute_lwtunnel.c
index 8f49701509d20..85ab13cb31746 100644
--- a/ip/iproute_lwtunnel.c
+++ b/ip/iproute_lwtunnel.c
@@ -860,7 +860,7 @@ static int parse_encap_ila(struct rtattr *rta, size_t len,
 
 	argc--; argv++;
 
-	if (rta_addattr64(rta, 1024, ILA_ATTR_LOCATOR, locator))
+	if (rta_addattr64(rta, len, ILA_ATTR_LOCATOR, locator))
 		return -1;
 
 	while (argc > 0) {
@@ -874,7 +874,7 @@ static int parse_encap_ila(struct rtattr *rta, size_t len,
 				invarg("\"csum-mode\" value is invalid\n",
 				       *argv);
 
-			ret = rta_addattr8(rta, 1024, ILA_ATTR_CSUM_MODE,
+			ret = rta_addattr8(rta, len, ILA_ATTR_CSUM_MODE,
 					   (__u8)csum_mode);
 
 			argc--; argv++;
@@ -888,7 +888,7 @@ static int parse_encap_ila(struct rtattr *rta, size_t len,
 				invarg("\"ident-type\" value is invalid\n",
 				       *argv);
 
-			ret = rta_addattr8(rta, 1024, ILA_ATTR_IDENT_TYPE,
+			ret = rta_addattr8(rta, len, ILA_ATTR_IDENT_TYPE,
 					   (__u8)ident_type);
 
 			argc--; argv++;
@@ -902,7 +902,7 @@ static int parse_encap_ila(struct rtattr *rta, size_t len,
 				invarg("\"hook-type\" value is invalid\n",
 				       *argv);
 
-			ret = rta_addattr8(rta, 1024, ILA_ATTR_HOOK_TYPE,
+			ret = rta_addattr8(rta, len, ILA_ATTR_HOOK_TYPE,
 					   (__u8)hook_type);
 
 			argc--; argv++;
@@ -1034,7 +1034,7 @@ static int parse_encap_bpf(struct rtattr *rta, size_t len, int *argcp,
 			if (get_unsigned(&headroom, *argv, 0) || headroom == 0)
 				invarg("headroom is invalid\n", *argv);
 			if (!headroom_set)
-				rta_addattr32(rta, 1024, LWT_BPF_XMIT_HEADROOM,
+				rta_addattr32(rta, len, LWT_BPF_XMIT_HEADROOM,
 					      headroom);
 			headroom_set = 1;
 		} else if (strcmp(*argv, "help") == 0) {
@@ -1075,7 +1075,7 @@ int lwt_parse_encap(struct rtattr *rta, size_t len, int *argcp, char ***argvp)
 		exit(-1);
 	}
 
-	nest = rta_nest(rta, 1024, RTA_ENCAP);
+	nest = rta_nest(rta, len, RTA_ENCAP);
 	switch (type) {
 	case LWTUNNEL_ENCAP_MPLS:
 		ret = parse_encap_mpls(rta, len, &argc, &argv);
@@ -1108,7 +1108,7 @@ int lwt_parse_encap(struct rtattr *rta, size_t len, int *argcp, char ***argvp)
 
 	rta_nest_end(rta, nest);
 
-	ret = rta_addattr16(rta, 1024, RTA_ENCAP_TYPE, type);
+	ret = rta_addattr16(rta, len, RTA_ENCAP_TYPE, type);
 
 	*argcp = argc;
 	*argvp = argv;
-- 
2.19.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [iproute PATCH] ip-route: Fix nexthop encap parsing
  2018-11-13 12:39 [iproute PATCH] ip-route: Fix nexthop encap parsing Phil Sutter
@ 2018-11-14 19:20 ` Stephen Hemminger
  0 siblings, 0 replies; 2+ messages in thread
From: Stephen Hemminger @ 2018-11-14 19:20 UTC (permalink / raw)
  To: Phil Sutter; +Cc: netdev

On Tue, 13 Nov 2018 13:39:04 +0100
Phil Sutter <phil@nwl.cc> wrote:

> When parsing nexthop parameters, a buffer of 4k bytes is provided. Yet,
> in lwt_parse_encap() and some functions called by it, buffer size was
> assumed to be 1k despite the actual size was provided. This led to
> spurious buffer size errors if the buffer was filled by previous nexthop
> parameters to exceed that 1k boundary.
> 
> Fixes: 1e5293056a02c ("lwtunnel: Add encapsulation support to ip route")
> Fixes: 5866bddd9aa9e ("ila: Add support for ILA lwtunnels")
> Fixes: ed67f83806538 ("ila: Support for checksum neutral translation")
> Fixes: 86905c8f057c0 ("ila: support for configuring identifier and hook types")
> Fixes: b15f440e78373 ("lwt: BPF support for LWT")
> Signed-off-by: Phil Sutter <phil@nwl.cc>

Applied

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2018-11-15  5:25 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-11-13 12:39 [iproute PATCH] ip-route: Fix nexthop encap parsing Phil Sutter
2018-11-14 19:20 ` Stephen Hemminger

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox