net: ipv4: fix multipath RTM_GETROUTE behavior when iif is given

Submitted by Florian Larysch on April 3, 2017, 2:46 p.m.

Details

Message ID 20170403144609.18716-1-fl@n621.de
State Accepted
Delegated to: David Miller
Headers show

Commit Message

Florian Larysch April 3, 2017, 2:46 p.m.
inet_rtm_getroute synthesizes a skeletal ICMP skb, which is passed to
ip_route_input when iif is given. If a multipath route is present for
the designated destination, ip_multipath_icmp_hash ends up being called,
which uses the source/destination addresses within the skb to calculate
a hash. However, those are not set in the synthetic skb, causing it to
return an arbitrary and incorrect result.

Instead, use UDP, which gets no such special treatment.

Signed-off-by: Florian Larysch <fl@n621.de>
---
 net/ipv4/route.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

David Ahern April 3, 2017, 5:33 p.m.
On 4/3/17 10:46 AM, Florian Larysch wrote:
> inet_rtm_getroute synthesizes a skeletal ICMP skb, which is passed to
> ip_route_input when iif is given. If a multipath route is present for
> the designated destination, ip_multipath_icmp_hash ends up being called,

that function no longer exists since Nik's recent work
(bf4e0a3db97eb882368fd82980b3b1fa0b5b9778)

So does the problem you noted still exist?
Florian Larysch April 3, 2017, 6:06 p.m.
On Mon, Apr 03, 2017 at 01:33:39PM -0400, David Ahern wrote:
> that function no longer exists since Nik's recent work
> (bf4e0a3db97eb882368fd82980b3b1fa0b5b9778)

Didn't notice that as I was looking at Linus' tree. Thanks.

> So does the problem you noted still exist?

Yes. And in fact, that change invalidates the fix I proposed. I'll
submit something new for net-next.

Florian
David Miller April 6, 2017, 7:19 p.m.
From: Florian Larysch <fl@n621.de>
Date: Mon,  3 Apr 2017 16:46:09 +0200

> inet_rtm_getroute synthesizes a skeletal ICMP skb, which is passed to
> ip_route_input when iif is given. If a multipath route is present for
> the designated destination, ip_multipath_icmp_hash ends up being called,
> which uses the source/destination addresses within the skb to calculate
> a hash. However, those are not set in the synthetic skb, causing it to
> return an arbitrary and incorrect result.
> 
> Instead, use UDP, which gets no such special treatment.
> 
> Signed-off-by: Florian Larysch <fl@n621.de>

Applied and queued up for -stable.

Please submit the net-next variant you mentioned, thank you.

Patch hide | download patch | download mbox

diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 8471dd116771..acd69cfe2951 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2620,7 +2620,7 @@  static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh)
 	skb_reset_network_header(skb);
 
 	/* Bugfix: need to give ip_route_input enough of an IP header to not gag. */
-	ip_hdr(skb)->protocol = IPPROTO_ICMP;
+	ip_hdr(skb)->protocol = IPPROTO_UDP;
 	skb_reserve(skb, MAX_HEADER + sizeof(struct iphdr));
 
 	src = tb[RTA_SRC] ? nla_get_in_addr(tb[RTA_SRC]) : 0;