| Message ID | 1449775851-20758-2-git-send-email-rshearma@brocade.com |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
On 12/10/15, 11:30 AM, Robert Shearman wrote: > If an L2 via address for an mpls nexthop is specified, the length of > the L2 address must match that expected by the output device, > otherwise it could access memory beyond the end of the via address > buffer in the route. > > This check was present prior to commit f8efb73c97e2 ("mpls: multipath > route support"), but got lost in the refactoring, so add it back, > applying it to all nexthops in multipath routes. > > Fixes: f8efb73c97e2 ("mpls: multipath route support") > Signed-off-by: Robert Shearman <rshearma@brocade.com> > --- > net/mpls/af_mpls.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c > index c70d750148b6..3be29cb1f658 100644 > --- a/net/mpls/af_mpls.c > +++ b/net/mpls/af_mpls.c > @@ -534,6 +534,10 @@ static int mpls_nh_assign_dev(struct net *net, struct mpls_route *rt, > if (!mpls_dev_get(dev)) > goto errout; > > + if ((nh->nh_via_table == NEIGH_LINK_TABLE) && > + (dev->addr_len != nh->nh_via_alen)) > + goto errout; > + > Robert, seems like the right place for this check is nla_get_via ? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 12/11/15, 2:51 PM, roopa wrote: > On 12/10/15, 11:30 AM, Robert Shearman wrote: >> If an L2 via address for an mpls nexthop is specified, the length of >> the L2 address must match that expected by the output device, >> otherwise it could access memory beyond the end of the via address >> buffer in the route. >> >> This check was present prior to commit f8efb73c97e2 ("mpls: multipath >> route support"), but got lost in the refactoring, so add it back, >> applying it to all nexthops in multipath routes. >> >> Fixes: f8efb73c97e2 ("mpls: multipath route support") >> Signed-off-by: Robert Shearman <rshearma@brocade.com> >> --- >> net/mpls/af_mpls.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c >> index c70d750148b6..3be29cb1f658 100644 >> --- a/net/mpls/af_mpls.c >> +++ b/net/mpls/af_mpls.c >> @@ -534,6 +534,10 @@ static int mpls_nh_assign_dev(struct net *net, struct mpls_route *rt, >> if (!mpls_dev_get(dev)) >> goto errout; >> >> + if ((nh->nh_via_table == NEIGH_LINK_TABLE) && >> + (dev->addr_len != nh->nh_via_alen)) >> + goto errout; >> + >> > Robert, seems like the right place for this check is nla_get_via ? never mind. This looks fine. Acked-by: Roopa Prabhu <roopa@cumulusnetworks.com> Thanks!. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c index c70d750148b6..3be29cb1f658 100644 --- a/net/mpls/af_mpls.c +++ b/net/mpls/af_mpls.c @@ -534,6 +534,10 @@ static int mpls_nh_assign_dev(struct net *net, struct mpls_route *rt, if (!mpls_dev_get(dev)) goto errout; + if ((nh->nh_via_table == NEIGH_LINK_TABLE) && + (dev->addr_len != nh->nh_via_alen)) + goto errout; + RCU_INIT_POINTER(nh->nh_dev, dev); return 0;
If an L2 via address for an mpls nexthop is specified, the length of the L2 address must match that expected by the output device, otherwise it could access memory beyond the end of the via address buffer in the route. This check was present prior to commit f8efb73c97e2 ("mpls: multipath route support"), but got lost in the refactoring, so add it back, applying it to all nexthops in multipath routes. Fixes: f8efb73c97e2 ("mpls: multipath route support") Signed-off-by: Robert Shearman <rshearma@brocade.com> --- net/mpls/af_mpls.c | 4 ++++ 1 file changed, 4 insertions(+)