From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Ahern Subject: Re: [PATCH net-next] net: metrics: add proper netlink validation Date: Mon, 4 Jun 2018 16:54:03 -0700 Message-ID: References: <20180604234601.261823-1-edumazet@google.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Cc: netdev , Eric Dumazet To: Eric Dumazet , "David S . Miller" Return-path: Received: from mail-pl0-f67.google.com ([209.85.160.67]:46159 "EHLO mail-pl0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751085AbeFDXyF (ORCPT ); Mon, 4 Jun 2018 19:54:05 -0400 Received: by mail-pl0-f67.google.com with SMTP id 30-v6so309784pld.13 for ; Mon, 04 Jun 2018 16:54:05 -0700 (PDT) In-Reply-To: <20180604234601.261823-1-edumazet@google.com> Content-Language: en-US Sender: netdev-owner@vger.kernel.org List-ID: On 6/4/18 4:46 PM, Eric Dumazet wrote: > Before using nla_get_u32(), better make sure the attribute > is of the proper size. > > Code recently was changed, but bug has been there from beginning > of git. > ... > > Fixes: a919525ad832 ("net: Move fib_convert_metrics to metrics file") That commit just moved the code from 1 file to another. The previous commit id is 6cf9dfd3bd62e, but it just moved code to a helper. The originating commit id for the ip_metrics_convert bug is: ea697639992d9 ("net: tcp: add RTAX_CC_ALGO fib handling") > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Signed-off-by: Eric Dumazet > Reported-by: syzbot > Cc: David Ahern > --- > net/ipv4/fib_semantics.c | 2 ++ > net/ipv4/metrics.c | 2 ++ > 2 files changed, 4 insertions(+) > > diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c > index 6608db23f54b6afdac0455650b47d64b1b22b255..9a890be8a0265edb78da225a82e2cac120f2150f 100644 > --- a/net/ipv4/fib_semantics.c > +++ b/net/ipv4/fib_semantics.c > @@ -717,6 +717,8 @@ bool fib_metrics_match(struct fib_config *cfg, struct fib_info *fi) > nla_strlcpy(tmp, nla, sizeof(tmp)); > val = tcp_ca_get_key_by_name(fi->fib_net, tmp, &ecn_ca); > } else { > + if (nla_len(nla) != sizeof(u32) > + return false; > val = nla_get_u32(nla); > } > > diff --git a/net/ipv4/metrics.c b/net/ipv4/metrics.c > index 5121c6475e6b0e9a9a158d4cee473f52cd4d8efe..04311f7067e2e9e3dafb89aa4f8e30dab0fde854 100644 > --- a/net/ipv4/metrics.c > +++ b/net/ipv4/metrics.c > @@ -32,6 +32,8 @@ int ip_metrics_convert(struct net *net, struct nlattr *fc_mx, int fc_mx_len, > if (val == TCP_CA_UNSPEC) > return -EINVAL; > } else { > + if (nla_len(nla) != sizeof(u32)) > + return -EINVAL; > val = nla_get_u32(nla); > } > if (type == RTAX_ADVMSS && val > 65535 - 40) >