From patchwork Thu Jan 17 22:52:48 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jakub Kicinski X-Patchwork-Id: 1027023 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=netronome.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=netronome-com.20150623.gappssmtp.com header.i=@netronome-com.20150623.gappssmtp.com header.b="a+zXdw0K"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43gfVw1rHjz9sLt for ; Fri, 18 Jan 2019 09:53:12 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726379AbfAQWxK (ORCPT ); Thu, 17 Jan 2019 17:53:10 -0500 Received: from mail-pg1-f194.google.com ([209.85.215.194]:39519 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726007AbfAQWxJ (ORCPT ); Thu, 17 Jan 2019 17:53:09 -0500 Received: by mail-pg1-f194.google.com with SMTP id w6so5093641pgl.6 for ; Thu, 17 Jan 2019 14:53:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netronome-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=uIMqGVROJEMKNCsNShLfBI7HR3JHEIfvQIbtXy90kfE=; b=a+zXdw0KPD4fSWNlT2yuQMoxmD0/Mlgbjd218mNDuiNyeukrAHz2gwdTWDFGzmWVkq YV092DImnMaie+jrqMxbml2OgaZKkZDsE80EQMQMMVjgy8HQR8yuI/Ke89gjrbWNVke3 cc9CpGYNN+h+CF2tZD/kUj+k80ZRhurBqGckYW2T45BMWDnKQBB9TRyfxW/BKaFzKsER c26lLyWiBZqX2tLpjODpfY6q86TUXpMjugAXmUxQjwG1tmpoxSrJvIj3exPnoDbvjyht Pp1h7rDnGCpW3eNi/yaHXvzanFYOvLIXp78SolyIjO61dA9/bPcShczXacknquJk6Ls1 DYbw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=uIMqGVROJEMKNCsNShLfBI7HR3JHEIfvQIbtXy90kfE=; b=lu7t2IngLI2nBgimI5wcQKMHkZkpeZg6zAgLZf5O9t36uS4oWcP7qVgjjtwlSl/ElV ZMaXUD8JWjZCD0+T0sHp0VXmqENqnJh7NKNyN0gA7K7IDWVWehr8ocElsNKEfuYcj0D4 g50cFA4zSy2Vx7sQHJvio5pb8pDG4PUOAdcx9kIy70diW1aqHSyp+VfWoSAlY7TKSsIS EL85vQi0IipiVPwPb2PErqlzUeBeWm8SEe0rV5W4bwhd3DcfJY3+jy5Jc/GJhHcMqTjs TIvICrd8z98usvUxGis8KS16WMXf8f1PRcSiFTK+ZI/CBcU7t7QSBIOVzX6lTOP4eAA5 rcLg== X-Gm-Message-State: AJcUukcVKUVs5eR0t+yU4/AerqxXzsA3I8MmTZB4/I20WR0rj7yOwwal cGlivK+l24qG1dK+Z5qzjHPnTQ== X-Google-Smtp-Source: ALg8bN6wesQ6VgW8Hkfe3raSrxwdfokl4YsNKcG5hG0IfUwhDhWEKrQgvmls95gZShesXpk2CKDfrA== X-Received: by 2002:a62:28c9:: with SMTP id o192mr17103281pfo.57.1547765588190; Thu, 17 Jan 2019 14:53:08 -0800 (PST) Received: from jkicinski-Precision-T1700.netronome.com ([66.60.152.14]) by smtp.gmail.com with ESMTPSA id j9sm3436324pfi.86.2019.01.17.14.53.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 17 Jan 2019 14:53:07 -0800 (PST) From: Jakub Kicinski To: davem@davemloft.net, dsahern@gmail.com Cc: netdev@vger.kernel.org, oss-drivers@netronome.com, Jakub Kicinski Subject: [PATCH net-next 01/13] net: netlink: add helper to retrieve NETLINK_F_STRICT_CHK Date: Thu, 17 Jan 2019 14:52:48 -0800 Message-Id: <20190117225300.8006-2-jakub.kicinski@netronome.com> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20190117225300.8006-1-jakub.kicinski@netronome.com> References: <20190117225300.8006-1-jakub.kicinski@netronome.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Dumps can read state of the NETLINK_F_STRICT_CHK flag from a field in the callback structure. For non-dump GET requests we need a way to access the state of that flag from a socket. Signed-off-by: Jakub Kicinski --- include/linux/netlink.h | 1 + net/netlink/af_netlink.c | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/include/linux/netlink.h b/include/linux/netlink.h index 4e8add270200..593d1b9c33a8 100644 --- a/include/linux/netlink.h +++ b/include/linux/netlink.h @@ -126,6 +126,7 @@ void __netlink_clear_multicast_users(struct sock *sk, unsigned int group); void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err, const struct netlink_ext_ack *extack); int netlink_has_listeners(struct sock *sk, unsigned int group); +bool netlink_strict_get_check(struct sk_buff *skb); int netlink_unicast(struct sock *ssk, struct sk_buff *skb, __u32 portid, int nonblock); int netlink_broadcast(struct sock *ssk, struct sk_buff *skb, __u32 portid, diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 3c023d6120f6..8fa35df94c07 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -1371,6 +1371,14 @@ int netlink_has_listeners(struct sock *sk, unsigned int group) } EXPORT_SYMBOL_GPL(netlink_has_listeners); +bool netlink_strict_get_check(struct sk_buff *skb) +{ + const struct netlink_sock *nlk = nlk_sk(NETLINK_CB(skb).sk); + + return nlk->flags & NETLINK_F_STRICT_CHK; +} +EXPORT_SYMBOL_GPL(netlink_strict_get_check); + static int netlink_broadcast_deliver(struct sock *sk, struct sk_buff *skb) { struct netlink_sock *nlk = nlk_sk(sk); From patchwork Thu Jan 17 22:52:49 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jakub Kicinski X-Patchwork-Id: 1027024 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=netronome.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=netronome-com.20150623.gappssmtp.com header.i=@netronome-com.20150623.gappssmtp.com header.b="ZIX6gBTB"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43gfVx2d3Pz9sBZ for ; Fri, 18 Jan 2019 09:53:13 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726196AbfAQWxM (ORCPT ); Thu, 17 Jan 2019 17:53:12 -0500 Received: from mail-pg1-f196.google.com ([209.85.215.196]:40147 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726185AbfAQWxK (ORCPT ); Thu, 17 Jan 2019 17:53:10 -0500 Received: by mail-pg1-f196.google.com with SMTP id z10so5094800pgp.7 for ; Thu, 17 Jan 2019 14:53:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netronome-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=91+eB4owzSq/I+PRvPOQgeMQLk67amVchVH5OQ8Yddc=; b=ZIX6gBTBVY3gHpdpoj+lPsBj4Dxb2pmgfczXFgTMrYdh+oWThk8TrI72bRgnk2STUp Ni4RU11BuT32OQFy0vo0/XTGDun4c8Nif95nW/2PruWNsMYK6z9NuO/1Y97sUR0r/oo3 fmVmmMTjqE2jkj8l5wCbqQkqOwrAODCJ47aRUQ2xjxNeXQp5G9vDbfH8WMzmyBKnGEjf o1/ENLFouSZsnBvrYHzZdLxkMLS63Al44DKJZSUy4NuuRHwZoD0wuq+8y5mhVvrSOu1l Fqf/UGTc1Wj+harW3NWzdpktVCHUTe7Z+gYuRtcXyvbqDvprZlJXVssahffx2hXzMLru pikQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=91+eB4owzSq/I+PRvPOQgeMQLk67amVchVH5OQ8Yddc=; b=QhPBVKWLx5XV4f4AblS/d4qTcWhlAwwtTl8jtuaHnw8Peav32ShkPzJZiBLEzU1Beo dZsmb1Lr3DRMmvMsmHatkWFXb59BWWh/gonhFP9xDbg+czXM09oSlsBKjJKglVeDdrJC f5F0pZfOqhXkXPNez3ayVfrAkaZP/iibsQ1PRHT+SrAHTZAzR0hqsurikcCFLsqZyxLL Y/8JdsCYrbsgkNAt4Fuoe/P7hNCy4AkVCyj4MYoAv71gc4kTGokeWrP/2FfXDupEm9UK S35GEn6C29K9jWTDKUCuDfmD9V15CGnt8BX/4lduiOG2qX8/W/1280S5VRLobxMRniP+ g6og== X-Gm-Message-State: AJcUukdRz3QzzuL7CQDf/1b0/5lQpfJeshQdoJViUSYtkgy2Ccvrge08 Zhe41N5+0g8iR5sG3Z4mPROrZSuNous= X-Google-Smtp-Source: ALg8bN5f/ftXsRtHp1brJxaZJz1UrpAdEyW1V1g7IXlPmvA9dxlAAR9aIt0Gv1H8NzJjTLoNO/rLWw== X-Received: by 2002:a63:104d:: with SMTP id 13mr15270173pgq.303.1547765589490; Thu, 17 Jan 2019 14:53:09 -0800 (PST) Received: from jkicinski-Precision-T1700.netronome.com ([66.60.152.14]) by smtp.gmail.com with ESMTPSA id j9sm3436324pfi.86.2019.01.17.14.53.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 17 Jan 2019 14:53:09 -0800 (PST) From: Jakub Kicinski To: davem@davemloft.net, dsahern@gmail.com Cc: netdev@vger.kernel.org, oss-drivers@netronome.com, Jakub Kicinski Subject: [PATCH net-next 02/13] rtnetlink: stats: validate attributes in get as well as dumps Date: Thu, 17 Jan 2019 14:52:49 -0800 Message-Id: <20190117225300.8006-3-jakub.kicinski@netronome.com> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20190117225300.8006-1-jakub.kicinski@netronome.com> References: <20190117225300.8006-1-jakub.kicinski@netronome.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Make sure NETLINK_GET_STRICT_CHK influences both GETSTATS doit as well as the dump. Signed-off-by: Jakub Kicinski --- net/core/rtnetlink.c | 58 ++++++++++++++++++++++++++++---------------- 1 file changed, 37 insertions(+), 21 deletions(-) diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index 5ea1bed08ede..08f142b59403 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -4901,6 +4901,36 @@ static size_t if_nlmsg_stats_size(const struct net_device *dev, return size; } +static int rtnl_valid_stats_req(const struct nlmsghdr *nlh, bool strict_check, + bool is_dump, struct netlink_ext_ack *extack) +{ + struct if_stats_msg *ifsm; + + if (nlh->nlmsg_len < sizeof(*ifsm)) { + NL_SET_ERR_MSG(extack, "Invalid header for stats dump"); + return -EINVAL; + } + + if (!strict_check) + return 0; + + ifsm = nlmsg_data(nlh); + + /* only requests using strict checks can pass data to influence + * the dump. The legacy exception is filter_mask. + */ + if (ifsm->pad1 || ifsm->pad2 || (is_dump && ifsm->ifindex)) { + NL_SET_ERR_MSG(extack, "Invalid values in header for stats dump request"); + return -EINVAL; + } + if (nlmsg_attrlen(nlh, sizeof(*ifsm))) { + NL_SET_ERR_MSG(extack, "Invalid attributes after stats header"); + return -EINVAL; + } + + return 0; +} + static int rtnl_stats_get(struct sk_buff *skb, struct nlmsghdr *nlh, struct netlink_ext_ack *extack) { @@ -4912,8 +4942,10 @@ static int rtnl_stats_get(struct sk_buff *skb, struct nlmsghdr *nlh, u32 filter_mask; int err; - if (nlmsg_len(nlh) < sizeof(*ifsm)) - return -EINVAL; + err = rtnl_valid_stats_req(nlh, netlink_strict_get_check(skb), + false, extack); + if (err) + return err; ifsm = nlmsg_data(nlh); if (ifsm->ifindex > 0) @@ -4965,27 +4997,11 @@ static int rtnl_stats_dump(struct sk_buff *skb, struct netlink_callback *cb) cb->seq = net->dev_base_seq; - if (nlmsg_len(cb->nlh) < sizeof(*ifsm)) { - NL_SET_ERR_MSG(extack, "Invalid header for stats dump"); - return -EINVAL; - } + err = rtnl_valid_stats_req(cb->nlh, cb->strict_check, true, extack); + if (err) + return err; ifsm = nlmsg_data(cb->nlh); - - /* only requests using strict checks can pass data to influence - * the dump. The legacy exception is filter_mask. - */ - if (cb->strict_check) { - if (ifsm->pad1 || ifsm->pad2 || ifsm->ifindex) { - NL_SET_ERR_MSG(extack, "Invalid values in header for stats dump request"); - return -EINVAL; - } - if (nlmsg_attrlen(cb->nlh, sizeof(*ifsm))) { - NL_SET_ERR_MSG(extack, "Invalid attributes after stats header"); - return -EINVAL; - } - } - filter_mask = ifsm->filter_mask; if (!filter_mask) { NL_SET_ERR_MSG(extack, "Filter mask must be set for stats dump"); From patchwork Thu Jan 17 22:52:50 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jakub Kicinski X-Patchwork-Id: 1027025 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=netronome.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=netronome-com.20150623.gappssmtp.com header.i=@netronome-com.20150623.gappssmtp.com header.b="BY4uT27j"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43gfVz69VFz9sBZ for ; Fri, 18 Jan 2019 09:53:15 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726761AbfAQWxP (ORCPT ); Thu, 17 Jan 2019 17:53:15 -0500 Received: from mail-pf1-f195.google.com ([209.85.210.195]:37017 "EHLO mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726007AbfAQWxM (ORCPT ); Thu, 17 Jan 2019 17:53:12 -0500 Received: by mail-pf1-f195.google.com with SMTP id y126so5548970pfb.4 for ; Thu, 17 Jan 2019 14:53:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netronome-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=RNtO4jzUtVsH4aPn3Rmjn5/DA73iGKJpGhe1zllUuCc=; b=BY4uT27jjagX/tAJsxQBI/g1RRNosbVKS1HFRw4ov42P6qZk5jLHarDizC1NjGZdlg 8Jn8Dr6cXMmqykuQ3xaMRYqOT+szDTzBHo+oDC9N6R4TsjgV+AiSxmtyWjkGYAmFDFke UNkZTjJ9pGgPf58TgTS7DCeVjx28+QOGYbeClERIJMFqdjj5foQN6qBpruiIFlv2PpJf OQyFRYh+WlyyLJcAwujdf9FX75nlxaHW1EXS9ewtMJIQx/yPcAiToiehB1iRHPE/1K9K qdJP2kpJxYCpA/9f8kTtlOQkOouvXo0xzMplEPZppBzgscw5pdXCYMHK/jbK5p04soWY LZxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=RNtO4jzUtVsH4aPn3Rmjn5/DA73iGKJpGhe1zllUuCc=; b=aIJSxOu4aCvy2PN5exwvi75JrY9qfw/gPVv6kt6i4xywvSZJeOyaDIEwvhs7ah02IL tNuk8GSVuLvcB+yy5cNOvr7z1I7Ydofkm1txvSmITak426E/fbR81wTRx5HgalVfXnJP SQ90fb1NsCyZsC/CDmM1ues3eYRYNgz/8idhB8W+lpcNLaMPfhscJa0x66SZTV6VttQi F2xYrDcoxJfHRQVi77TsObVHZA+89s0td8WXq50gaYDkUAjk3r5OGqLJNXbrd2YMDdRK fb31qW554ksQ+Nt0jAQgtrMgKPbvu2JuIpxA73xr12aOyXfQM6DvbBeiiEWmuAZkTJAl RF9w== X-Gm-Message-State: AJcUukdzebpPHo9ZHlSp3XqzRS9x/7sbmuc2zwYqe/DnCvPEV36O6JSx SqGr5Fi9GV795J+tijwE49oZsA== X-Google-Smtp-Source: ALg8bN4I+zeBj0ODpldEnOf0g8uhZOpz7UWZTMz9zx9/ER6GBVV3ItszJKAsuC/4ptaJdpX7oVBjEg== X-Received: by 2002:a63:981:: with SMTP id 123mr15336030pgj.444.1547765590755; Thu, 17 Jan 2019 14:53:10 -0800 (PST) Received: from jkicinski-Precision-T1700.netronome.com ([66.60.152.14]) by smtp.gmail.com with ESMTPSA id j9sm3436324pfi.86.2019.01.17.14.53.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 17 Jan 2019 14:53:10 -0800 (PST) From: Jakub Kicinski To: davem@davemloft.net, dsahern@gmail.com Cc: netdev@vger.kernel.org, oss-drivers@netronome.com, Jakub Kicinski Subject: [PATCH net-next 03/13] rtnetlink: stats: reject requests for unknown stats Date: Thu, 17 Jan 2019 14:52:50 -0800 Message-Id: <20190117225300.8006-4-jakub.kicinski@netronome.com> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20190117225300.8006-1-jakub.kicinski@netronome.com> References: <20190117225300.8006-1-jakub.kicinski@netronome.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org In the spirit of strict checks reject requests of stats the kernel does not support when NETLINK_F_STRICT_CHK is set. Signed-off-by: Jakub Kicinski --- net/core/rtnetlink.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index 08f142b59403..3c134b928071 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -4927,6 +4927,10 @@ static int rtnl_valid_stats_req(const struct nlmsghdr *nlh, bool strict_check, NL_SET_ERR_MSG(extack, "Invalid attributes after stats header"); return -EINVAL; } + if (ifsm->filter_mask >= IFLA_STATS_FILTER_BIT(IFLA_STATS_MAX + 1)) { + NL_SET_ERR_MSG(extack, "Invalid stats requested through filter mask"); + return -EINVAL; + } return 0; } From patchwork Thu Jan 17 22:52:51 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jakub Kicinski X-Patchwork-Id: 1027026 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=netronome.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=netronome-com.20150623.gappssmtp.com header.i=@netronome-com.20150623.gappssmtp.com header.b="XQ+wtLlk"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43gfW12Kgfz9sBZ for ; Fri, 18 Jan 2019 09:53:17 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726798AbfAQWxQ (ORCPT ); Thu, 17 Jan 2019 17:53:16 -0500 Received: from mail-pf1-f193.google.com ([209.85.210.193]:34009 "EHLO mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726185AbfAQWxN (ORCPT ); Thu, 17 Jan 2019 17:53:13 -0500 Received: by mail-pf1-f193.google.com with SMTP id h3so5560754pfg.1 for ; Thu, 17 Jan 2019 14:53:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netronome-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=WS/akrBhbINKWp+w10WykKMPNPdlAPRhILTs3eei+/U=; b=XQ+wtLlkYYYdQB6qL8vEe7dVLUKhSrMhiV9Vf4+ruB2ZoqbwKj9BVHK88qw5neh7JH BcRQ1FCnq5IbihvSx/OtrCCmjh+KHSGBt8ywC3jKjbiuwdYI3ydfY2vpTKvwKFBXdr4V 7R/AOaBe51o1VZ1Pa/UOvxHsQ2hx6uh2Gux7qx5a+Rz+J3WYdROZuZN+Y3juuNAMDy2A 3s+KzVVyVgqCVgLmwmPtpYx+2dMPBI7woU72qbonIQWsPUiDYSMa5+9DWjp25M0s4B0w thHW3hVPaBEC0N2CyQT5tCvvXhMe60SooxGiQxZnVd1tY5lYKQQkW3ndr1DjDJh32KmL 6EgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=WS/akrBhbINKWp+w10WykKMPNPdlAPRhILTs3eei+/U=; b=X4CpP/V8hXPgxHF+NyEKB5G9RsBoubmeq31VYaGSdT5i1dHWuSbC9Y9lgx+/zoPZOF 30IowFhm0QwJTZ+xX0zKKK44t5pVFSIisZzukMMV4M+cwSb/kDL4VfSsWetyUxIFIyA9 6fcQoJrvtY3J4nkaA/zhvHWv5PiZCFvkH2DPyJ5eaeR9grsu7NNuUpKeQYlltBC8eV0m 1hk8bM+w/VoRIdwiSJg8jyGAitXaSz36c4CrM+iu+ozEp+UGXN2YCw0CALLx06JGqRia FoYHIQ1zgH0BNwpeH/c1XEzxqJZD5854hvCkh0b2GiAfquhJqNU1m5Ak4c+82arwSfVi Q67w== X-Gm-Message-State: AJcUukdmCNRF09KE29IJlsMDHaX1nA/xl/3N4jmH7FMl9dwFtEwRogyQ PqVHCNPuEy55/Mh+7rFo/8GbtQ== X-Google-Smtp-Source: ALg8bN5JLYj0InMz7hSTfFMlhMnyatJxVD+6RrNZm1WDm9R5lZdGi6siMLaG0Xn74xkuhIA3C4CBCw== X-Received: by 2002:a63:85c6:: with SMTP id u189mr14796440pgd.156.1547765592025; Thu, 17 Jan 2019 14:53:12 -0800 (PST) Received: from jkicinski-Precision-T1700.netronome.com ([66.60.152.14]) by smtp.gmail.com with ESMTPSA id j9sm3436324pfi.86.2019.01.17.14.53.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 17 Jan 2019 14:53:11 -0800 (PST) From: Jakub Kicinski To: davem@davemloft.net, dsahern@gmail.com Cc: netdev@vger.kernel.org, oss-drivers@netronome.com, Jakub Kicinski Subject: [PATCH net-next 04/13] rtnetlink: ifinfo: perform strict checks also for doit handler Date: Thu, 17 Jan 2019 14:52:51 -0800 Message-Id: <20190117225300.8006-5-jakub.kicinski@netronome.com> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20190117225300.8006-1-jakub.kicinski@netronome.com> References: <20190117225300.8006-1-jakub.kicinski@netronome.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Make RTM_GETLINK's doit handler use strict checks when NETLINK_F_STRICT_CHK is set. Signed-off-by: Jakub Kicinski --- net/core/rtnetlink.c | 49 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 48 insertions(+), 1 deletion(-) diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index 3c134b928071..aef9cbca8358 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -3242,6 +3242,53 @@ static int rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh, return ret; } +static int rtnl_valid_getlink_req(struct sk_buff *skb, + const struct nlmsghdr *nlh, + struct nlattr **tb, + struct netlink_ext_ack *extack) +{ + struct ifinfomsg *ifm; + int i, err; + + if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*ifm))) { + NL_SET_ERR_MSG(extack, "Invalid header for get link"); + return -EINVAL; + } + + if (!netlink_strict_get_check(skb)) + return nlmsg_parse(nlh, sizeof(*ifm), tb, IFLA_MAX, ifla_policy, + extack); + + ifm = nlmsg_data(nlh); + if (ifm->__ifi_pad || ifm->ifi_type || ifm->ifi_flags || + ifm->ifi_change) { + NL_SET_ERR_MSG(extack, "Invalid values in header for get link request"); + return -EINVAL; + } + + err = nlmsg_parse_strict(nlh, sizeof(*ifm), tb, IFLA_MAX, ifla_policy, + extack); + if (err) + return err; + + for (i = 0; i <= IFLA_MAX; i++) { + if (!tb[i]) + continue; + + switch (i) { + case IFLA_IFNAME: + case IFLA_EXT_MASK: + case IFLA_TARGET_NETNSID: + break; + default: + NL_SET_ERR_MSG(extack, "Unsupported attribute in get link request"); + return -EINVAL; + } + } + + return 0; +} + static int rtnl_getlink(struct sk_buff *skb, struct nlmsghdr *nlh, struct netlink_ext_ack *extack) { @@ -3256,7 +3303,7 @@ static int rtnl_getlink(struct sk_buff *skb, struct nlmsghdr *nlh, int err; u32 ext_filter_mask = 0; - err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFLA_MAX, ifla_policy, extack); + err = rtnl_valid_getlink_req(skb, nlh, tb, extack); if (err < 0) return err; From patchwork Thu Jan 17 22:52:52 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jakub Kicinski X-Patchwork-Id: 1027027 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=netronome.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=netronome-com.20150623.gappssmtp.com header.i=@netronome-com.20150623.gappssmtp.com header.b="yEnF4CEu"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43gfW36ZLRz9sBZ for ; Fri, 18 Jan 2019 09:53:19 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726825AbfAQWxS (ORCPT ); Thu, 17 Jan 2019 17:53:18 -0500 Received: from mail-pf1-f194.google.com ([209.85.210.194]:45217 "EHLO mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726550AbfAQWxO (ORCPT ); Thu, 17 Jan 2019 17:53:14 -0500 Received: by mail-pf1-f194.google.com with SMTP id g62so5528538pfd.12 for ; Thu, 17 Jan 2019 14:53:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netronome-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=mvsccxVu/XLn8aHPABpEIi2xgV5inFjbgk7mOrPgl9s=; b=yEnF4CEu/ZtkrC1kYM2vq3/ANf487iA2VC0XSqpLYLPZuJMzoww+BRP1Qt95AZmctv VqtaVo+BbTokRubyIIIC82rBR6YoEVZpK326FugxFcG1DxM3Dxhy7lJsphYPn85eWn4I J7lFXLaT/XdIq+4t6Hrr1DRYYo00JhRjSdw3V4t8LknryaiY0zzIx2iJsvuNmBlxIuZr uu7aUrCSdGzMkMJD54boY6gvACNvc3qNV6rzESFiVyZrJ/osUIytKC8csQfT8ICDevaA IIhaF+oSP/UPUbHrLcdhNReQCO5PDwZeVeZFVNwlzbVXhd6Pm/fO78scBZC4H+PCaUmh Ez3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=mvsccxVu/XLn8aHPABpEIi2xgV5inFjbgk7mOrPgl9s=; b=jo5AuNiWxnFBhRQ7qxmkV4+KQ1400Ao7vNTUpZgoKM+ArkdnSyE2qIA++mvcjZO0CI cHgmIVfJCYP1DJCNINora8mQejJWqeXdnsVDsq2FlnnYV7VMC2mNs9RpfCSqcxwt0q+5 XYV+nokcptzCDFkoVotXyvsa1tw6HuWjfebMNzWOTbfso1Wb1yC/sipizVBB6mup8p92 xeN0+6czlLLQ8PDrrzm/1EwGIK6ybKNkeuZ6JxUaTHCUjXTduKdEvChhLcKhvwGqQeeu xpITQhQWmd/NTz3UpRKgOMEJdPiHVcbDh07j8WDmwIodxoJ+Se0ip4WDfsH+MZC0ElaF jvCQ== X-Gm-Message-State: AJcUukckgHjZIW3IL2jvNDuxCZLDvYikqFsGsH/stfeg9+KBEx5+2kDL gyaX4VkxNeC8nNqPCOzQ72P8Ux7lqDA= X-Google-Smtp-Source: ALg8bN6lPm8jZHdKh7Ki+jkFTyQz/C0F2QmhTnkjQ8vH7IKVWtnLC2JsjCYBybGzWJ1i5Z2Lcn/6Mg== X-Received: by 2002:a63:fe0a:: with SMTP id p10mr15074284pgh.265.1547765593515; Thu, 17 Jan 2019 14:53:13 -0800 (PST) Received: from jkicinski-Precision-T1700.netronome.com ([66.60.152.14]) by smtp.gmail.com with ESMTPSA id j9sm3436324pfi.86.2019.01.17.14.53.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 17 Jan 2019 14:53:12 -0800 (PST) From: Jakub Kicinski To: davem@davemloft.net, dsahern@gmail.com Cc: netdev@vger.kernel.org, oss-drivers@netronome.com, Jakub Kicinski Subject: [PATCH net-next 05/13] net: ipv4: perform strict checks also for doit handlers Date: Thu, 17 Jan 2019 14:52:52 -0800 Message-Id: <20190117225300.8006-6-jakub.kicinski@netronome.com> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20190117225300.8006-1-jakub.kicinski@netronome.com> References: <20190117225300.8006-1-jakub.kicinski@netronome.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Make RTM_GETNETCONF's doit handler use strict checks when NETLINK_F_STRICT_CHK is set. Signed-off-by: Jakub Kicinski --- net/ipv4/devinet.c | 43 +++++++++++++++++++++++++++++++++++++++---- 1 file changed, 39 insertions(+), 4 deletions(-) diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c index e258a00b4a3d..cd027639df2f 100644 --- a/net/ipv4/devinet.c +++ b/net/ipv4/devinet.c @@ -2063,13 +2063,49 @@ static const struct nla_policy devconf_ipv4_policy[NETCONFA_MAX+1] = { [NETCONFA_IGNORE_ROUTES_WITH_LINKDOWN] = { .len = sizeof(int) }, }; +static int inet_netconf_valid_get_req(struct sk_buff *skb, + const struct nlmsghdr *nlh, + struct nlattr **tb, + struct netlink_ext_ack *extack) +{ + int i, err; + + if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(struct netconfmsg))) { + NL_SET_ERR_MSG(extack, "ipv4: Invalid header for netconf get request"); + return -EINVAL; + } + + if (!netlink_strict_get_check(skb)) + return nlmsg_parse(nlh, sizeof(struct netconfmsg), tb, + NETCONFA_MAX, devconf_ipv4_policy, extack); + + err = nlmsg_parse_strict(nlh, sizeof(struct netconfmsg), tb, + NETCONFA_MAX, devconf_ipv4_policy, extack); + if (err) + return err; + + for (i = 0; i <= NETCONFA_MAX; i++) { + if (!tb[i]) + continue; + + switch (i) { + case NETCONFA_IFINDEX: + break; + default: + NL_SET_ERR_MSG(extack, "ipv4: Unsupported attribute in netconf get request"); + return -EINVAL; + } + } + + return 0; +} + static int inet_netconf_get_devconf(struct sk_buff *in_skb, struct nlmsghdr *nlh, struct netlink_ext_ack *extack) { struct net *net = sock_net(in_skb->sk); struct nlattr *tb[NETCONFA_MAX+1]; - struct netconfmsg *ncm; struct sk_buff *skb; struct ipv4_devconf *devconf; struct in_device *in_dev; @@ -2077,9 +2113,8 @@ static int inet_netconf_get_devconf(struct sk_buff *in_skb, int ifindex; int err; - err = nlmsg_parse(nlh, sizeof(*ncm), tb, NETCONFA_MAX, - devconf_ipv4_policy, extack); - if (err < 0) + err = inet_netconf_valid_get_req(in_skb, nlh, tb, extack); + if (err) goto errout; err = -EINVAL; From patchwork Thu Jan 17 22:52:53 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jakub Kicinski X-Patchwork-Id: 1027028 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=netronome.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=netronome-com.20150623.gappssmtp.com header.i=@netronome-com.20150623.gappssmtp.com header.b="t8XebkYm"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43gfW516NCz9sBZ for ; Fri, 18 Jan 2019 09:53:21 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726838AbfAQWxT (ORCPT ); Thu, 17 Jan 2019 17:53:19 -0500 Received: from mail-pl1-f194.google.com ([209.85.214.194]:37975 "EHLO mail-pl1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726780AbfAQWxQ (ORCPT ); Thu, 17 Jan 2019 17:53:16 -0500 Received: by mail-pl1-f194.google.com with SMTP id e5so5408728plb.5 for ; Thu, 17 Jan 2019 14:53:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netronome-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Ee9sKhl91V1tfl1FPhwfCbnw2cVuTvirfGKutb4VYiQ=; b=t8XebkYmCZCabRwM+bHb9vaQqHGcss/vg10rItBIj4eGCcDyr2410ratXnr1RzcT6b ES4YTK8TQ/yipJUxXrMFiYuVKQ6H9LYqjUjSVfmDbwuhkXYcqEDUsuXRU9GEBHQUYfRs khbWGA9f+/T37sDkxETfY2EJ6wJIBdH7oFwaxerrrjm+j6Za9opLzPdqpBguENBnQ8Zw SX8aGswpbkMPOuQgRPMqp/lO48nUpMxe9QLLwrmas54BOMx0siWsd7jUinIJ5AWviouP ji6VLDKdHiawoReEDfznKWl4wYHATR7EudhGU6+qSwK1GlZQ2wka5aZBAHnOZla4uHhi v2ig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Ee9sKhl91V1tfl1FPhwfCbnw2cVuTvirfGKutb4VYiQ=; b=k+yjpduYrpEaLFhVlS/o8/8Gc2XJul6vKYP8eFvW5nv2OOgPyYixn2HSRhy1BRz43H pwGwPdUbmuwftmQGTfCk1MbOy/wxrFUjocN5+r68zvFnLcoM2Y2//swOFifyC9bgBqtr 88G+55FyvpsY1jvRzB28zEia4tEySiAAmAR2vWuYPja1CqkCGR5XDp0mtZw6wShBdokI AL8GmyGeVAFELeFg2iy72qwZdcimJmKxS+sLJGfWcBFAVYvuTnW5RMD/ADVj6y7+zEmT 6suI/N+PaOw/RHutTtjv4WY0hFJ1SCvok/CB5sqjPtNpxXz2CLofmcaFDiFv3kl+5r1T 5Efg== X-Gm-Message-State: AJcUukd4MahZhs1gjxZp6RtJdTLhTq3OTNihdkbCJc7vs/dbxX9zkR5v n++iGmDu+vq0mK53OcSIV3TVqQ== X-Google-Smtp-Source: ALg8bN5P4dk65aaaMJ8/cwMBINsyIWNgZuPxZfI4uk8992vABTCW8rZ1A7mkVnvxnghH9jl5nTIF4Q== X-Received: by 2002:a17:902:3383:: with SMTP id b3mr16415175plc.170.1547765595036; Thu, 17 Jan 2019 14:53:15 -0800 (PST) Received: from jkicinski-Precision-T1700.netronome.com ([66.60.152.14]) by smtp.gmail.com with ESMTPSA id j9sm3436324pfi.86.2019.01.17.14.53.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 17 Jan 2019 14:53:14 -0800 (PST) From: Jakub Kicinski To: davem@davemloft.net, dsahern@gmail.com Cc: netdev@vger.kernel.org, oss-drivers@netronome.com, Jakub Kicinski , ktkhai@virtuozzo.com, nicolas.dichtel@6wind.com Subject: [PATCH net-next 06/13] net: namespace: perform strict checks also for doit handlers Date: Thu, 17 Jan 2019 14:52:53 -0800 Message-Id: <20190117225300.8006-7-jakub.kicinski@netronome.com> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20190117225300.8006-1-jakub.kicinski@netronome.com> References: <20190117225300.8006-1-jakub.kicinski@netronome.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Make RTM_GETNSID's doit handler use strict checks when NETLINK_F_STRICT_CHK is set. Signed-off-by: Jakub Kicinski --- CC: ktkhai@virtuozzo.com CC: nicolas.dichtel@6wind.com --- net/core/net_namespace.c | 43 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 41 insertions(+), 2 deletions(-) diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c index b02fb19df2cc..1b45e3ab2b65 100644 --- a/net/core/net_namespace.c +++ b/net/core/net_namespace.c @@ -778,6 +778,46 @@ static int rtnl_net_fill(struct sk_buff *skb, struct net_fill_args *args) return -EMSGSIZE; } +static int rtnl_net_valid_getid_req(struct sk_buff *skb, + const struct nlmsghdr *nlh, + struct nlattr **tb, + struct netlink_ext_ack *extack) +{ + int i, err; + + if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(struct rtgenmsg))) { + NL_SET_ERR_MSG(extack, "Invalid header for peer netns getid"); + return -EINVAL; + } + + if (!netlink_strict_get_check(skb)) + return nlmsg_parse(nlh, sizeof(struct rtgenmsg), tb, NETNSA_MAX, + rtnl_net_policy, extack); + + err = nlmsg_parse_strict(nlh, sizeof(struct rtgenmsg), tb, NETNSA_MAX, + rtnl_net_policy, extack); + if (err) + return err; + + for (i = 0; i <= NETNSA_MAX; i++) { + if (!tb[i]) + continue; + + switch (i) { + case NETNSA_PID: + case NETNSA_FD: + case NETNSA_NSID: + case NETNSA_TARGET_NSID: + break; + default: + NL_SET_ERR_MSG(extack, "Unsupported attribute in peer netns getid request"); + return -EINVAL; + } + } + + return 0; +} + static int rtnl_net_getid(struct sk_buff *skb, struct nlmsghdr *nlh, struct netlink_ext_ack *extack) { @@ -793,8 +833,7 @@ static int rtnl_net_getid(struct sk_buff *skb, struct nlmsghdr *nlh, struct sk_buff *msg; int err; - err = nlmsg_parse(nlh, sizeof(struct rtgenmsg), tb, NETNSA_MAX, - rtnl_net_policy, extack); + err = rtnl_net_valid_getid_req(skb, nlh, tb, extack); if (err < 0) return err; if (tb[NETNSA_PID]) { From patchwork Thu Jan 17 22:52:54 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jakub Kicinski X-Patchwork-Id: 1027035 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=netronome.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=netronome-com.20150623.gappssmtp.com header.i=@netronome-com.20150623.gappssmtp.com header.b="OMOJKWrS"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43gfWM6kNKz9sDr for ; Fri, 18 Jan 2019 09:53:35 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726948AbfAQWxe (ORCPT ); Thu, 17 Jan 2019 17:53:34 -0500 Received: from mail-pf1-f195.google.com ([209.85.210.195]:42238 "EHLO mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726185AbfAQWxQ (ORCPT ); Thu, 17 Jan 2019 17:53:16 -0500 Received: by mail-pf1-f195.google.com with SMTP id 64so5533823pfr.9 for ; Thu, 17 Jan 2019 14:53:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netronome-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=qHynIrDCvI74pN5QSQXUhKUfT2Zup71lPdcVyaj4epU=; b=OMOJKWrSO8ydWfkFrZrMWEacx/piitnlXjgVW/RBUiUGr0DS0Q3u9qKrUUQ8lAf/ii xbXOStHIGc4vhlB0h6wJ6mEmiA1omrX75+73ycXXCjxbh4hxg7x1wM9MKA/9EbyeU9tS cmV+3ovCQ7SJ2xU46gx5STi6qcLZbeeAvKIfsfHxlRJsAZMrtjM47hIEyEdVoNAtemeX fedqY0/1stAipKBugesbZ3FLdbBs+9wixOwB6CbNFyYhTDYBuI0w8CRF8MxXpwF1j5v5 uNHMJnu2B2sxwbPuGeXG8UzVTIDBZoKvV3N/90cKOAyK+m1vJv1mdiLyXrjkwUz7Cl+s xS0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=qHynIrDCvI74pN5QSQXUhKUfT2Zup71lPdcVyaj4epU=; b=e9EIXS1mAsKlXiTIH395cx/Ibf9BW/xus4+mSP1ZRVthe2GIqALrfNgdinUlj8Ui5T GzVs0lxTTBhR9OxW96o2xf4JqrqcN+aDl/mslsM7iyageePqHK0uV4RtEcdMLBOgv1pj kVcQf0zbDLjk9DuKn+cMz4OorpZqoEyCFVRV2rdWEO4F0wdu+UpeaRFUGPa62eWF4tPd 68zQUtJQvk+m6yJ207Nj6rHNeb1oHxoxq36s6IGUCzSpQ7auUym9a3nSg/p/0pkW3cDn OUMN3MBcUtwl7556sGKSDpwURKm+oSYMm6xwP0kJuioQeUvhPuUTkXnAT6qezDtO6eaA zyTg== X-Gm-Message-State: AJcUukdRpIvixxylDl8MrVV6V5MbW8kREsDrof/uxbv3+f4p5ChKMwp0 zbD+mLUVHozTdQpT+t+QbccoWQ== X-Google-Smtp-Source: ALg8bN5xLfQtb9MTi25RQa8cg0NgRxJBm0gZW+2UPJ6Y6W6k2aUZtklOB6V5XY5m4N9OXukrfJKHqQ== X-Received: by 2002:a63:3e05:: with SMTP id l5mr14366345pga.96.1547765596331; Thu, 17 Jan 2019 14:53:16 -0800 (PST) Received: from jkicinski-Precision-T1700.netronome.com ([66.60.152.14]) by smtp.gmail.com with ESMTPSA id j9sm3436324pfi.86.2019.01.17.14.53.15 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 17 Jan 2019 14:53:15 -0800 (PST) From: Jakub Kicinski To: davem@davemloft.net, dsahern@gmail.com Cc: netdev@vger.kernel.org, oss-drivers@netronome.com, Jakub Kicinski Subject: [PATCH net-next 07/13] net: ipv4: ipmr: perform strict checks also for doit handlers Date: Thu, 17 Jan 2019 14:52:54 -0800 Message-Id: <20190117225300.8006-8-jakub.kicinski@netronome.com> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20190117225300.8006-1-jakub.kicinski@netronome.com> References: <20190117225300.8006-1-jakub.kicinski@netronome.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Make RTM_GETROUTE's doit handler use strict checks when NETLINK_F_STRICT_CHK is set. Signed-off-by: Jakub Kicinski --- net/ipv4/ipmr.c | 61 +++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 56 insertions(+), 5 deletions(-) diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c index ddbf8c9a1abb..4842e36af482 100644 --- a/net/ipv4/ipmr.c +++ b/net/ipv4/ipmr.c @@ -2467,6 +2467,61 @@ static void igmpmsg_netlink_event(struct mr_table *mrt, struct sk_buff *pkt) rtnl_set_sk_err(net, RTNLGRP_IPV4_MROUTE_R, -ENOBUFS); } +static int ipmr_rtm_valid_getroute_req(struct sk_buff *skb, + const struct nlmsghdr *nlh, + struct nlattr **tb, + struct netlink_ext_ack *extack) +{ + struct rtmsg *rtm; + int i, err; + + if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*rtm))) { + NL_SET_ERR_MSG(extack, "ipv4: MR invalid header for route get"); + return -EINVAL; + } + + if (!netlink_strict_get_check(skb)) + return nlmsg_parse(nlh, sizeof(*rtm), tb, RTA_MAX, + rtm_ipv4_policy, extack); + + rtm = nlmsg_data(nlh); + if ((rtm->rtm_src_len && rtm->rtm_src_len != 32) || + (rtm->rtm_dst_len && rtm->rtm_dst_len != 32) || + rtm->rtm_tos || rtm->rtm_table || rtm->rtm_protocol || + rtm->rtm_scope || rtm->rtm_type || rtm->rtm_flags) { + NL_SET_ERR_MSG(extack, "ipv4: MR invalid values in header for route get request"); + return -EINVAL; + } + + err = nlmsg_parse_strict(nlh, sizeof(*rtm), tb, RTA_MAX, + rtm_ipv4_policy, extack); + if (err) + return err; + + if ((tb[RTA_SRC] && !rtm->rtm_src_len) || + (tb[RTA_DST] && !rtm->rtm_dst_len)) { + NL_SET_ERR_MSG(extack, "ipv4: MR rtm_src_len and rtm_dst_len must be 32 for IPv4"); + return -EINVAL; + } + + for (i = 0; i <= RTA_MAX; i++) { + if (!tb[i]) + continue; + + switch (i) { + case RTA_SRC: + case RTA_DST: + case RTA_TABLE: + break; + default: + NL_SET_ERR_MSG(extack, "ipv4: MR unsupported attribute in route get request"); + return -EINVAL; + } + } + + return 0; +} + static int ipmr_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh, struct netlink_ext_ack *extack) { @@ -2475,18 +2530,14 @@ static int ipmr_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh, struct sk_buff *skb = NULL; struct mfc_cache *cache; struct mr_table *mrt; - struct rtmsg *rtm; __be32 src, grp; u32 tableid; int err; - err = nlmsg_parse(nlh, sizeof(*rtm), tb, RTA_MAX, - rtm_ipv4_policy, extack); + err = ipmr_rtm_valid_getroute_req(in_skb, nlh, tb, extack); if (err < 0) goto errout; - rtm = nlmsg_data(nlh); - src = tb[RTA_SRC] ? nla_get_in_addr(tb[RTA_SRC]) : 0; grp = tb[RTA_DST] ? nla_get_in_addr(tb[RTA_DST]) : 0; tableid = tb[RTA_TABLE] ? nla_get_u32(tb[RTA_TABLE]) : 0; From patchwork Thu Jan 17 22:52:55 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jakub Kicinski X-Patchwork-Id: 1027034 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=netronome.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=netronome-com.20150623.gappssmtp.com header.i=@netronome-com.20150623.gappssmtp.com header.b="qmzOt6JN"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43gfWL3tSTz9sDr for ; Fri, 18 Jan 2019 09:53:34 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726932AbfAQWxd (ORCPT ); Thu, 17 Jan 2019 17:53:33 -0500 Received: from mail-pg1-f196.google.com ([209.85.215.196]:36531 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726801AbfAQWxS (ORCPT ); Thu, 17 Jan 2019 17:53:18 -0500 Received: by mail-pg1-f196.google.com with SMTP id n2so5099237pgm.3 for ; Thu, 17 Jan 2019 14:53:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netronome-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=awJb6YklO/SDPR0Wl0jLhdD9Seiq0DG7LHdyNrk1nx8=; b=qmzOt6JNGSdj8dbcIFEUmgkIuWRqOEZQmy0M0OF9HexfXbsKcg9zltKPIV40HKK1KS 8jocHNKx6IAUV/FfJ7uuPV2VInoMemhUyhWFZyt7OMf2qzTSzs0lpAgKymBIOKSYilzZ mt1zGWGHlNdI7WpqZl2BQM3IVoitCL1DfckGBWs5O5wsYKQkiSeqI9olW25oS9RJRl3m tOqGolC0uvv3ajNfwHFO7I9lOALMXt1X+pBd1x3TuTKpO6sf5e7UMv5vuJE7W3BaSFZb 1ANk3udmwaraIX7lZv3CSJ5pm6PE/nTzct4D9dADoianxK90glHGcqhJrILM/i7hS9fj VcaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=awJb6YklO/SDPR0Wl0jLhdD9Seiq0DG7LHdyNrk1nx8=; b=cn3zVCJ++v8zu1G5+Txd174jaSy7URScdtRDAmTmaKJ4wOB2FPkrj+qJa/carWEWKN FnnnhxTv/8ouLswn8mp7IPqaEkGsj5Gb6I7SbHZT4cevziafa6BDr8kchOynJG2WFOuy o9iEyUxDL5KWynsZE+RKqqV5JS+FCg91ScCIE97PajRmNTZWxCunxzd8jI6zRmqR9Hs2 YvE2STkp3BbZ3rJFo70a3kQoGgViB7HT3fGQC6NIi7eWEEfCpB7ZY0m6HrKQxw0N+h9f vfQ426gLX+d+XAerZIMlfW2IQf+tFe33k1gfbX2kGpE4w87wVENJlwp90cjOrXbwxe0d Scsg== X-Gm-Message-State: AJcUukeVvMGdu1rAHoPAavnEseljs3KGv5zN9+/e/WDtcloG9dxqlID0 emAphqVOnsDzoC4tp5ZqOMv3iA== X-Google-Smtp-Source: ALg8bN54GQDed1QgNW02uu6RcHSNPpXKNuSubfS5TC2QAXUwDwuRHApdQRljyMc7cNeZb9crqLWt7w== X-Received: by 2002:a63:920a:: with SMTP id o10mr14854098pgd.141.1547765597626; Thu, 17 Jan 2019 14:53:17 -0800 (PST) Received: from jkicinski-Precision-T1700.netronome.com ([66.60.152.14]) by smtp.gmail.com with ESMTPSA id j9sm3436324pfi.86.2019.01.17.14.53.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 17 Jan 2019 14:53:17 -0800 (PST) From: Jakub Kicinski To: davem@davemloft.net, dsahern@gmail.com Cc: netdev@vger.kernel.org, oss-drivers@netronome.com, Jakub Kicinski Subject: [PATCH net-next 08/13] net: ipv6: addr: perform strict checks also for doit handlers Date: Thu, 17 Jan 2019 14:52:55 -0800 Message-Id: <20190117225300.8006-9-jakub.kicinski@netronome.com> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20190117225300.8006-1-jakub.kicinski@netronome.com> References: <20190117225300.8006-1-jakub.kicinski@netronome.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Make RTM_GETADDR's doit handler use strict checks when NETLINK_F_STRICT_CHK is set. Signed-off-by: Jakub Kicinski --- net/ipv6/addrconf.c | 49 +++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 47 insertions(+), 2 deletions(-) diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 93d5ad2b1a69..339a82cfe5f2 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -5179,6 +5179,52 @@ static int inet6_dump_ifacaddr(struct sk_buff *skb, struct netlink_callback *cb) return inet6_dump_addr(skb, cb, type); } +static int inet6_rtm_valid_getaddr_req(struct sk_buff *skb, + const struct nlmsghdr *nlh, + struct nlattr **tb, + struct netlink_ext_ack *extack) +{ + struct ifaddrmsg *ifm; + int i, err; + + if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*ifm))) { + NL_SET_ERR_MSG_MOD(extack, "Invalid header for get address request"); + return -EINVAL; + } + + ifm = nlmsg_data(nlh); + if (ifm->ifa_prefixlen || ifm->ifa_flags || ifm->ifa_scope) { + NL_SET_ERR_MSG_MOD(extack, "Invalid values in header for get address request"); + return -EINVAL; + } + + if (!netlink_strict_get_check(skb)) + return nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, + ifa_ipv6_policy, extack); + + err = nlmsg_parse_strict(nlh, sizeof(*ifm), tb, IFA_MAX, + ifa_ipv6_policy, extack); + if (err) + return err; + + for (i = 0; i <= IFA_MAX; i++) { + if (!tb[i]) + continue; + + switch (i) { + case IFA_TARGET_NETNSID: + case IFA_ADDRESS: + case IFA_LOCAL: + break; + default: + NL_SET_ERR_MSG_MOD(extack, "Unsupported attribute in get address request"); + return -EINVAL; + } + } + + return 0; +} + static int inet6_rtm_getaddr(struct sk_buff *in_skb, struct nlmsghdr *nlh, struct netlink_ext_ack *extack) { @@ -5199,8 +5245,7 @@ static int inet6_rtm_getaddr(struct sk_buff *in_skb, struct nlmsghdr *nlh, struct sk_buff *skb; int err; - err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, ifa_ipv6_policy, - extack); + err = inet6_rtm_valid_getaddr_req(in_skb, nlh, tb, extack); if (err < 0) return err; From patchwork Thu Jan 17 22:52:56 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jakub Kicinski X-Patchwork-Id: 1027029 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=netronome.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=netronome-com.20150623.gappssmtp.com header.i=@netronome-com.20150623.gappssmtp.com header.b="WKqLmzGS"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43gfW60WRYz9sDr for ; Fri, 18 Jan 2019 09:53:22 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726860AbfAQWxV (ORCPT ); Thu, 17 Jan 2019 17:53:21 -0500 Received: from mail-pl1-f196.google.com ([209.85.214.196]:41080 "EHLO mail-pl1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726836AbfAQWxU (ORCPT ); Thu, 17 Jan 2019 17:53:20 -0500 Received: by mail-pl1-f196.google.com with SMTP id u6so5391460plm.8 for ; Thu, 17 Jan 2019 14:53:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netronome-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=zdKuGmCvuG7iHdstAY7+3JWlsso2UT7Cx3frArfML7Q=; b=WKqLmzGSj0Ma7ed6dlpICWpqCt1ETAY33N2ZTQmPxDJa1NrBdsDl8H6uBXdorc9RjL wkl+2AVE3X/Rz1W5AQRfnu37Uyh2HztQHpJ+nyuNAX6unc9AYqojZDLj5mMNit4DD1oe 2Y2eNFwyDEPgW6QGLnsVH4/GW0F7LldQjrVphehHmShTgpWMhKypDSEy6Yfe54CY3Rpp 3rdETSJMY5X2OA+39jSB/SymLE2Zikny6yf7o4QFra6SPcOXf4nIoTXDu2oyVdAQtEF1 ilqjyIk8onBZJ7Kw23wHvr8+pB/weLchwS9WjWUyI5c3tpA62diVAOr3AK30d6/TJJR9 /CfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=zdKuGmCvuG7iHdstAY7+3JWlsso2UT7Cx3frArfML7Q=; b=PpWEO+X5p4M9wlchlcuKwl4zSu8+RGoa+921aGEs6c638IvhCytleGGdMD6lb8W2/q E6YMwNpEps5EHeIL1Uaq7UpCys6EFG2k10gy49BCkDO+RtqqCNze2yr+K/h3+n+/E7xq WLjPx7SbWVP9iXXM5pHzmbpd50dbpwpxihIsl6tFu8h7w/SAcuxrtv0XaD/qELgIxSwQ kHDK7nufNXvUPFfKgLLaZUL/OZSH8ArluNBf7u/6iFBXhl0EtMfdQMJo9b+BJ1kqal9m nG6BACFnmrvDAitbtFrn5eLfE0VVZE7PbPb3rzl1mSVClWH2zTT0iRs+z3mKiWbdUsd0 WeZQ== X-Gm-Message-State: AJcUukfittq6BIOr06yfOJaia6lYNL70PNPhz7hrrFl6LKu56P/tQnIW dPp9OFksP9idaW+SRtr4V8H/MA== X-Google-Smtp-Source: ALg8bN5FHOcEmiQzzT+6Ky1WVFw+Pz7Ob084ixKsD+aptsSUAxcBC2eP/TDnH4aPgWWHurfMElZQVQ== X-Received: by 2002:a17:902:7443:: with SMTP id e3mr16869538plt.304.1547765598905; Thu, 17 Jan 2019 14:53:18 -0800 (PST) Received: from jkicinski-Precision-T1700.netronome.com ([66.60.152.14]) by smtp.gmail.com with ESMTPSA id j9sm3436324pfi.86.2019.01.17.14.53.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 17 Jan 2019 14:53:18 -0800 (PST) From: Jakub Kicinski To: davem@davemloft.net, dsahern@gmail.com Cc: netdev@vger.kernel.org, oss-drivers@netronome.com, Jakub Kicinski Subject: [PATCH net-next 09/13] net: ipv6: netconf: perform strict checks also for doit handlers Date: Thu, 17 Jan 2019 14:52:56 -0800 Message-Id: <20190117225300.8006-10-jakub.kicinski@netronome.com> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20190117225300.8006-1-jakub.kicinski@netronome.com> References: <20190117225300.8006-1-jakub.kicinski@netronome.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Make RTM_GETNETCONF's doit handler use strict checks when NETLINK_F_STRICT_CHK is set. Signed-off-by: Jakub Kicinski --- net/ipv6/addrconf.c | 41 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 38 insertions(+), 3 deletions(-) diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 339a82cfe5f2..57198b3c86da 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -597,6 +597,43 @@ static const struct nla_policy devconf_ipv6_policy[NETCONFA_MAX+1] = { [NETCONFA_IGNORE_ROUTES_WITH_LINKDOWN] = { .len = sizeof(int) }, }; +static int inet6_netconf_valid_get_req(struct sk_buff *skb, + const struct nlmsghdr *nlh, + struct nlattr **tb, + struct netlink_ext_ack *extack) +{ + int i, err; + + if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(struct netconfmsg))) { + NL_SET_ERR_MSG_MOD(extack, "Invalid header for netconf get request"); + return -EINVAL; + } + + if (!netlink_strict_get_check(skb)) + return nlmsg_parse(nlh, sizeof(struct netconfmsg), tb, + NETCONFA_MAX, devconf_ipv6_policy, extack); + + err = nlmsg_parse_strict(nlh, sizeof(struct netconfmsg), tb, + NETCONFA_MAX, devconf_ipv6_policy, extack); + if (err) + return err; + + for (i = 0; i <= NETCONFA_MAX; i++) { + if (!tb[i]) + continue; + + switch (i) { + case NETCONFA_IFINDEX: + break; + default: + NL_SET_ERR_MSG_MOD(extack, "Unsupported attribute in netconf get request"); + return -EINVAL; + } + } + + return 0; +} + static int inet6_netconf_get_devconf(struct sk_buff *in_skb, struct nlmsghdr *nlh, struct netlink_ext_ack *extack) @@ -605,14 +642,12 @@ static int inet6_netconf_get_devconf(struct sk_buff *in_skb, struct nlattr *tb[NETCONFA_MAX+1]; struct inet6_dev *in6_dev = NULL; struct net_device *dev = NULL; - struct netconfmsg *ncm; struct sk_buff *skb; struct ipv6_devconf *devconf; int ifindex; int err; - err = nlmsg_parse(nlh, sizeof(*ncm), tb, NETCONFA_MAX, - devconf_ipv6_policy, extack); + err = inet6_netconf_valid_get_req(in_skb, nlh, tb, extack); if (err < 0) return err; From patchwork Thu Jan 17 22:52:57 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jakub Kicinski X-Patchwork-Id: 1027030 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=netronome.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=netronome-com.20150623.gappssmtp.com header.i=@netronome-com.20150623.gappssmtp.com header.b="MVUghJHz"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43gfW82mcZz9sBZ for ; Fri, 18 Jan 2019 09:53:24 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726875AbfAQWxX (ORCPT ); Thu, 17 Jan 2019 17:53:23 -0500 Received: from mail-pg1-f194.google.com ([209.85.215.194]:34867 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726780AbfAQWxV (ORCPT ); Thu, 17 Jan 2019 17:53:21 -0500 Received: by mail-pg1-f194.google.com with SMTP id s198so5105918pgs.2 for ; Thu, 17 Jan 2019 14:53:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netronome-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ODcSqau4nIcyp0hPpV4R6in0cvM4l5xPCqV7LwXqMeo=; b=MVUghJHzl3P30/7c57VRD9x2SKZkNKZU92bNFjhwgnx8vO7mXJ6HXXdiMocsQqQ9NT a9fM4NEuots5GFhyjTyB579eW8yvmHTc6m+C2NBMY2QIRvg7iYp5aVhX19awI36Pi8ep z8MLtYBvqRDEAZ38cWlZO0Kq2ypfkpPikCSL+KjOWEZMvvqNaKVX1aChRcPGFOobQ9PC ZrPQQGWfnJPmxI8WZHMw7eW5k4UYG0gDjFX6eGqfPwu/Ze5TybzFyRPnSdAyA7jqXuwo QDfJB+itdVjOj4iGi4NMMgMB0zc6xXSKeRxEjs5IT521LXaGzDkPFOwfAssHthLC5y0S zQGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ODcSqau4nIcyp0hPpV4R6in0cvM4l5xPCqV7LwXqMeo=; b=ItdR05k8ozWTlkercoHCxJNjcbImGWOSVUTNLCsUzznsGPKPAKKQPRUHATZdspP9Ub BvqLkgN/9xNQaS1DaK6C2fSL2vX7au5jKpmj227ZCvE5mIfZKOedPHzFnrAUCS0WBR8Z IKVP9CptGr/TVoyP181XkUTP9Q1Fg0fzAgilawSKCTmvkEBbbtKi8lpj/z+VvUmvj8A1 popFHGS7clZ12e9N2GBeze9D9pA3Vuwr69pDowwN5s3dZ275QCik4ZRMhJU6rfUUp9+B aw4i+JudS4weWnI5isA+jD7A8wB5N9lhE8wyKocbizEvVoitOXM4lcl+ZNz4q+4h6GUQ t5JA== X-Gm-Message-State: AJcUuke3Fewrs1/XqeEwqPYLYzDtZRlS4XdH/8vuC0Rl3ubXlKqF6l10 Hh8yO54DP+q7GadzBbhCgJaeLA== X-Google-Smtp-Source: ALg8bN6lh8bxRzYhd14jPt162jzefrGNOjau67ixXacSf6StxkxgMIP2NlCuF3hjhqk1yt/5BKjtyw== X-Received: by 2002:a63:5026:: with SMTP id e38mr15267234pgb.123.1547765600236; Thu, 17 Jan 2019 14:53:20 -0800 (PST) Received: from jkicinski-Precision-T1700.netronome.com ([66.60.152.14]) by smtp.gmail.com with ESMTPSA id j9sm3436324pfi.86.2019.01.17.14.53.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 17 Jan 2019 14:53:19 -0800 (PST) From: Jakub Kicinski To: davem@davemloft.net, dsahern@gmail.com Cc: netdev@vger.kernel.org, oss-drivers@netronome.com, Jakub Kicinski Subject: [PATCH net-next 10/13] net: ipv6: addrlabel: perform strict checks also for doit handlers Date: Thu, 17 Jan 2019 14:52:57 -0800 Message-Id: <20190117225300.8006-11-jakub.kicinski@netronome.com> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20190117225300.8006-1-jakub.kicinski@netronome.com> References: <20190117225300.8006-1-jakub.kicinski@netronome.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Make RTM_GETADDRLABEL's doit handler use strict checks when NETLINK_F_STRICT_CHK is set. Signed-off-by: Jakub Kicinski --- net/ipv6/addrlabel.c | 47 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 45 insertions(+), 2 deletions(-) diff --git a/net/ipv6/addrlabel.c b/net/ipv6/addrlabel.c index 0d1ee82ee55b..d43d076c98f5 100644 --- a/net/ipv6/addrlabel.c +++ b/net/ipv6/addrlabel.c @@ -523,6 +523,50 @@ static inline int ip6addrlbl_msgsize(void) + nla_total_size(4); /* IFAL_LABEL */ } +static int ip6addrlbl_valid_get_req(struct sk_buff *skb, + const struct nlmsghdr *nlh, + struct nlattr **tb, + struct netlink_ext_ack *extack) +{ + struct ifaddrlblmsg *ifal; + int i, err; + + if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*ifal))) { + NL_SET_ERR_MSG_MOD(extack, "Invalid header for addrlabel get request"); + return -EINVAL; + } + + if (!netlink_strict_get_check(skb)) + return nlmsg_parse(nlh, sizeof(*ifal), tb, IFAL_MAX, + ifal_policy, extack); + + ifal = nlmsg_data(nlh); + if (ifal->__ifal_reserved || ifal->ifal_flags || ifal->ifal_seq) { + NL_SET_ERR_MSG_MOD(extack, "Invalid values in header for addrlabel get request"); + return -EINVAL; + } + + err = nlmsg_parse_strict(nlh, sizeof(*ifal), tb, IFAL_MAX, + ifal_policy, extack); + if (err) + return err; + + for (i = 0; i <= IFAL_MAX; i++) { + if (!tb[i]) + continue; + + switch (i) { + case IFAL_ADDRESS: + break; + default: + NL_SET_ERR_MSG_MOD(extack, "Unsupported attribute in addrlabel get request"); + return -EINVAL; + } + } + + return 0; +} + static int ip6addrlbl_get(struct sk_buff *in_skb, struct nlmsghdr *nlh, struct netlink_ext_ack *extack) { @@ -535,8 +579,7 @@ static int ip6addrlbl_get(struct sk_buff *in_skb, struct nlmsghdr *nlh, struct ip6addrlbl_entry *p; struct sk_buff *skb; - err = nlmsg_parse(nlh, sizeof(*ifal), tb, IFAL_MAX, ifal_policy, - extack); + err = ip6addrlbl_valid_get_req(in_skb, nlh, tb, extack); if (err < 0) return err; From patchwork Thu Jan 17 22:52:58 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jakub Kicinski X-Patchwork-Id: 1027031 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=netronome.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=netronome-com.20150623.gappssmtp.com header.i=@netronome-com.20150623.gappssmtp.com header.b="YEgM0KZq"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43gfWC3Vhpz9sBZ for ; Fri, 18 Jan 2019 09:53:27 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726896AbfAQWx0 (ORCPT ); Thu, 17 Jan 2019 17:53:26 -0500 Received: from mail-pf1-f195.google.com ([209.85.210.195]:45228 "EHLO mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726836AbfAQWxW (ORCPT ); Thu, 17 Jan 2019 17:53:22 -0500 Received: by mail-pf1-f195.google.com with SMTP id g62so5528695pfd.12 for ; Thu, 17 Jan 2019 14:53:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netronome-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=l/WQB7O2V0Bmzn7csuUWZ9fFNsh0/GjHA07yHXCoqE8=; b=YEgM0KZqmqF9RjWaOR2c013EJQLfchK1vhuOztNy8/Hsw+jZXDRc0M55qNXhZBPV6k YscMpwLnbgpfVoF6h3kWkeqpqQazlVq4FNMK+W0QHBwMyJHAH89kImVSKfCw+kAcTs7j dTv7Lo+nv0qtnaMudKT/11/iezr8Vg9kpc29JTVf0K/OoobHgH17wiHbNzg2mVk0kEJ3 Pd5KkhijDOAXU1cPAbx2H3ZcQYFoS3ZnTYjG/fiuQ+KFuUv7PwVCO6zc0mIM1PSE+v2K ZJCi9E4/iWnOHGNktl2cbRZkp0w83g3ANRqJW1Y2b6pLEJjYgtoinTyZ16bM6U1T9gwM 619w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=l/WQB7O2V0Bmzn7csuUWZ9fFNsh0/GjHA07yHXCoqE8=; b=ZeukOIJwh86wyggblqQ6gwyww6K89Hc2q1yhPNDoPZPQy7T3N1JXFmrYOzo5LSOlZQ PBvP6v13RZqiTn5Y0J/6xPWriikjroM83JD79g6p0VWz4ctJSOwybFGGXMd0qjOOvEcD C+HmeAOUM57cJwheFL7gai+fn37fLYbcvD9484xUSb9Q945dLMubT7Fs/EmzlnJNrnh5 2UOUY58labUd4IvK5Fq0e5ZjWTOkCZmTCeZ82KMgxx+D/c62Kfk6as4Sp51y2gBVdtgj PC9JjQZhS/W7ESKNUkodrjJxy5afeibEzYiwlK/Nc7alHoPW9KY325NP4o9F+lBpqPOZ Th3g== X-Gm-Message-State: AJcUukdMaColqgQqX/YjIHYMWQBnucwFi5Zl8eKgiziOA5L7OjfEP0fn 6UXMNYLs0D2RBWuKG1oMg4O+xg== X-Google-Smtp-Source: ALg8bN6NudMDwlzfJWAbOkp55xOYCIfXfAdCvrKZg2ljyfCR646FqWT4hQsZm/N0Cn/mzgiDDkOjWw== X-Received: by 2002:a63:314d:: with SMTP id x74mr15127794pgx.10.1547765601525; Thu, 17 Jan 2019 14:53:21 -0800 (PST) Received: from jkicinski-Precision-T1700.netronome.com ([66.60.152.14]) by smtp.gmail.com with ESMTPSA id j9sm3436324pfi.86.2019.01.17.14.53.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 17 Jan 2019 14:53:21 -0800 (PST) From: Jakub Kicinski To: davem@davemloft.net, dsahern@gmail.com Cc: netdev@vger.kernel.org, oss-drivers@netronome.com, Jakub Kicinski Subject: [PATCH net-next 11/13] net: ipv6: route: perform strict checks also for doit handlers Date: Thu, 17 Jan 2019 14:52:58 -0800 Message-Id: <20190117225300.8006-12-jakub.kicinski@netronome.com> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20190117225300.8006-1-jakub.kicinski@netronome.com> References: <20190117225300.8006-1-jakub.kicinski@netronome.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Make RTM_GETROUTE's doit handler use strict checks when NETLINK_F_STRICT_CHK is set. Signed-off-by: Jakub Kicinski --- net/ipv6/route.c | 70 ++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 68 insertions(+), 2 deletions(-) diff --git a/net/ipv6/route.c b/net/ipv6/route.c index 964491cf3672..dc066fdf7e46 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -4812,6 +4812,73 @@ int rt6_dump_route(struct fib6_info *rt, void *p_arg) arg->cb->nlh->nlmsg_seq, flags); } +static int inet6_rtm_valid_getroute_req(struct sk_buff *skb, + const struct nlmsghdr *nlh, + struct nlattr **tb, + struct netlink_ext_ack *extack) +{ + struct rtmsg *rtm; + int i, err; + + if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*rtm))) { + NL_SET_ERR_MSG_MOD(extack, + "Invalid header for get route request"); + return -EINVAL; + } + + if (!netlink_strict_get_check(skb)) + return nlmsg_parse(nlh, sizeof(*rtm), tb, RTA_MAX, + rtm_ipv6_policy, extack); + + rtm = nlmsg_data(nlh); + if ((rtm->rtm_src_len && rtm->rtm_src_len != 128) || + (rtm->rtm_dst_len && rtm->rtm_dst_len != 128) || + rtm->rtm_table || rtm->rtm_protocol || rtm->rtm_scope || + rtm->rtm_type) { + NL_SET_ERR_MSG_MOD(extack, "Invalid values in header for get route request"); + return -EINVAL; + } + if (rtm->rtm_flags & ~RTM_F_FIB_MATCH) { + NL_SET_ERR_MSG_MOD(extack, + "Invalid flags for get route request"); + return -EINVAL; + } + + err = nlmsg_parse_strict(nlh, sizeof(*rtm), tb, RTA_MAX, + rtm_ipv6_policy, extack); + if (err) + return err; + + if ((tb[RTA_SRC] && !rtm->rtm_src_len) || + (tb[RTA_DST] && !rtm->rtm_dst_len)) { + NL_SET_ERR_MSG_MOD(extack, "rtm_src_len and rtm_dst_len must be 128 for IPv6"); + return -EINVAL; + } + + for (i = 0; i <= RTA_MAX; i++) { + if (!tb[i]) + continue; + + switch (i) { + case RTA_SRC: + case RTA_DST: + case RTA_IIF: + case RTA_OIF: + case RTA_MARK: + case RTA_UID: + case RTA_SPORT: + case RTA_DPORT: + case RTA_IP_PROTO: + break; + default: + NL_SET_ERR_MSG_MOD(extack, "Unsupported attribute in get route request"); + return -EINVAL; + } + } + + return 0; +} + static int inet6_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh, struct netlink_ext_ack *extack) { @@ -4826,8 +4893,7 @@ static int inet6_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh, struct flowi6 fl6 = {}; bool fibmatch; - err = nlmsg_parse(nlh, sizeof(*rtm), tb, RTA_MAX, rtm_ipv6_policy, - extack); + err = inet6_rtm_valid_getroute_req(in_skb, nlh, tb, extack); if (err < 0) goto errout; From patchwork Thu Jan 17 22:52:59 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jakub Kicinski X-Patchwork-Id: 1027032 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=netronome.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=netronome-com.20150623.gappssmtp.com header.i=@netronome-com.20150623.gappssmtp.com header.b="HEI6hfJE"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43gfWF11tsz9sBZ for ; Fri, 18 Jan 2019 09:53:29 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726906AbfAQWx1 (ORCPT ); Thu, 17 Jan 2019 17:53:27 -0500 Received: from mail-pg1-f195.google.com ([209.85.215.195]:46967 "EHLO mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726780AbfAQWxY (ORCPT ); Thu, 17 Jan 2019 17:53:24 -0500 Received: by mail-pg1-f195.google.com with SMTP id w7so5074700pgp.13 for ; Thu, 17 Jan 2019 14:53:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netronome-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ZRJMWn6qMKsRXqfOik9hcJp+f2eVLCPK9DifOBSLWKQ=; b=HEI6hfJEN7gVV+uVhHnTIkjtHT31C7mBKpTboeVsojWWAjyyCKhx2ecQfZ5nagE8hQ LnEbY6kqN68drrsxPncpTmVsC4KKKTmPsRu/QMhXgCXSnPdT4a3tQ8QifujRJpwtiTex VrH/OfNODrPte0nEBl4h4IpTwIhVan3E31r+kXV4q/VGhR8e9zKKvbw1QsZuwzizWj8G F+3lOwWCi+0NzRxDz+6CZx/qQXD16mzH0Vu3BMucxebeTNwtVbIxDqsxYAbLFUaoKSut LQtKWsYOUp6abmV25loh0DL1imvV4ZmaFSssUSmxMBC2enTVvzJ98IES2O9Lys/li6WO YVkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ZRJMWn6qMKsRXqfOik9hcJp+f2eVLCPK9DifOBSLWKQ=; b=sQ23T2aHVaz9IWjKWBQEBrwVqNf5iDO2VUHYhSeMRGge4r1XjfoduTJrI5pQofOVDh K0MDQPKGYpZnpOg+IBr3qsT+iCNCukqx3P8qdNQdDDwJQLipluPnzXNtRwJtJmDJsYjz XgVZPcVlh6uu4j0nePV+T2YqbMInUVzYbbn3hITmI6GiBjhVH+UQ/CZniqt2pnKjGYpz h6glYVwyUF1zlNOoSfjWBzPauoZYG9UJ5R2LaTmnQsBp34/ngieRbkuiD94pg43dDWXt uiw8tGQpDHH2CL2DfdBxqnNoin5DzCP6SWj6nUOT6+VTA9+EWvg4z9z50vL4il4NwL2u YgTg== X-Gm-Message-State: AJcUukeUDOtR5XOjg5Xbk6mvfdNqg4fGI+B+nmredShnPIsEyGSwGEod 1B21D4oG1tF4TfS49KlihF7wF59T/fQ= X-Google-Smtp-Source: ALg8bN7mpKM4KKSOvlzHp/WSJPeuJRsnC61eyR0yL81Un43rPFJf2KgyPWQHG92cVHOm28vAwtBoKw== X-Received: by 2002:a63:990a:: with SMTP id d10mr15288468pge.279.1547765602796; Thu, 17 Jan 2019 14:53:22 -0800 (PST) Received: from jkicinski-Precision-T1700.netronome.com ([66.60.152.14]) by smtp.gmail.com with ESMTPSA id j9sm3436324pfi.86.2019.01.17.14.53.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 17 Jan 2019 14:53:22 -0800 (PST) From: Jakub Kicinski To: davem@davemloft.net, dsahern@gmail.com Cc: netdev@vger.kernel.org, oss-drivers@netronome.com, Jakub Kicinski Subject: [PATCH net-next 12/13] net: mpls: route: perform strict checks also for doit handlers Date: Thu, 17 Jan 2019 14:52:59 -0800 Message-Id: <20190117225300.8006-13-jakub.kicinski@netronome.com> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20190117225300.8006-1-jakub.kicinski@netronome.com> References: <20190117225300.8006-1-jakub.kicinski@netronome.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Make RTM_GETROUTE's doit handler use strict checks when NETLINK_F_STRICT_CHK is set. Signed-off-by: Jakub Kicinski --- net/mpls/af_mpls.c | 61 ++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 59 insertions(+), 2 deletions(-) diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c index 7d55d4c04088..733c86db551b 100644 --- a/net/mpls/af_mpls.c +++ b/net/mpls/af_mpls.c @@ -2236,6 +2236,64 @@ static void rtmsg_lfib(int event, u32 label, struct mpls_route *rt, rtnl_set_sk_err(net, RTNLGRP_MPLS_ROUTE, err); } +static int mpls_valid_getroute_req(struct sk_buff *skb, + const struct nlmsghdr *nlh, + struct nlattr **tb, + struct netlink_ext_ack *extack) +{ + struct rtmsg *rtm; + int i, err; + + if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*rtm))) { + NL_SET_ERR_MSG_MOD(extack, + "Invalid header for get route request"); + return -EINVAL; + } + + if (!netlink_strict_get_check(skb)) + return nlmsg_parse(nlh, sizeof(*rtm), tb, RTA_MAX, + rtm_mpls_policy, extack); + + rtm = nlmsg_data(nlh); + if ((rtm->rtm_dst_len && rtm->rtm_dst_len != 20) || + rtm->rtm_src_len || rtm->rtm_tos || rtm->rtm_table || + rtm->rtm_protocol || rtm->rtm_scope || rtm->rtm_type) { + NL_SET_ERR_MSG_MOD(extack, "Invalid values in header for get route request"); + return -EINVAL; + } + if (rtm->rtm_flags & ~RTM_F_FIB_MATCH) { + NL_SET_ERR_MSG_MOD(extack, + "Invalid flags for get route request"); + return -EINVAL; + } + + err = nlmsg_parse_strict(nlh, sizeof(*rtm), tb, RTA_MAX, + rtm_mpls_policy, extack); + if (err) + return err; + + if ((tb[RTA_DST] || tb[RTA_NEWDST]) && !rtm->rtm_dst_len) { + NL_SET_ERR_MSG_MOD(extack, "rtm_dst_len must be 20 for MPLS"); + return -EINVAL; + } + + for (i = 0; i <= RTA_MAX; i++) { + if (!tb[i]) + continue; + + switch (i) { + case RTA_DST: + case RTA_NEWDST: + break; + default: + NL_SET_ERR_MSG_MOD(extack, "Unsupported attribute in get route request"); + return -EINVAL; + } + } + + return 0; +} + static int mpls_getroute(struct sk_buff *in_skb, struct nlmsghdr *in_nlh, struct netlink_ext_ack *extack) { @@ -2255,8 +2313,7 @@ static int mpls_getroute(struct sk_buff *in_skb, struct nlmsghdr *in_nlh, u8 n_labels; int err; - err = nlmsg_parse(in_nlh, sizeof(*rtm), tb, RTA_MAX, - rtm_mpls_policy, extack); + err = mpls_valid_getroute_req(in_skb, in_nlh, tb, extack); if (err < 0) goto errout; From patchwork Thu Jan 17 22:53:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jakub Kicinski X-Patchwork-Id: 1027033 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=netronome.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=netronome-com.20150623.gappssmtp.com header.i=@netronome-com.20150623.gappssmtp.com header.b="PpYEnL2i"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43gfWG0wJqz9sDr for ; Fri, 18 Jan 2019 09:53:30 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726918AbfAQWx2 (ORCPT ); Thu, 17 Jan 2019 17:53:28 -0500 Received: from mail-pf1-f194.google.com ([209.85.210.194]:38750 "EHLO mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726876AbfAQWxZ (ORCPT ); Thu, 17 Jan 2019 17:53:25 -0500 Received: by mail-pf1-f194.google.com with SMTP id q1so5547880pfi.5 for ; Thu, 17 Jan 2019 14:53:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netronome-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=SsT2SiiLGRSEqY9PhSWVIUlwcDWglkItOMLQA8zPuTo=; b=PpYEnL2iKmME1t7qndwVlhzch8pOXc5OKjJ/XWxxdzzp9LPLCmZ2K9t07355dpjBRl iw3KiRFlIq02VMVCcG0yS8dMwtUyoqRh1L0RnWCr8pQTL0Trc4+giiEJmzwKkWmGHXoz 40MOINILxJVuYo6NvuVqqesKIaNHj6gMD8DHFm5Av0jHeClcn8gVK1HO9mH2s9jKpn0c iawjTKkQc83a1Rosm2cjemfkOIaM2AbKmGwRAoaUJ+bXP7iyb6TLSwCCeVjzqivC4D4S uXXotb3MPK77+vIVfjv1WG5iPsmeuMPYNKZld6y7KHGeeDK1hhWYe0tKNX18ONxX+XsA bmww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=SsT2SiiLGRSEqY9PhSWVIUlwcDWglkItOMLQA8zPuTo=; b=btBCy10tNR2L6q3fF68jeR5rFCD+ro4KMbCxi8Mn6Q5vyToTLUGJkH+Rv7Tk38Npat luhSjqXitS4x3ccu4Tx4/sQRUlkHyE/+9791RqWiXng9xBzVP2cRsQAGAnyBtEwIu5cy WkvbJ98K614hd9YVRuRAu6f6C0JygyG2PaePuq8/Dn04jFOpoWa5P9CNJJ7aoGTmhlcv xZ8u8eJPcfQIk0UoYJwbcJf+Hds3JeIOdtRS3eAcN3vfjwnBabAnnPcYKH/zcaPC2PSZ +9itbPChO7hBzQXtU0FteQigLjc5d/1FV7Au7E4mW1VLtF+gbD/bdjPZwO9VbPcqPQdB YuQA== X-Gm-Message-State: AJcUukcTmGv1KOWN3UnB9eyjnSABU/3ioSMXYZQE9uYg4/wggz0hJMs1 u/SMibmhgxcXRqYXEkkSNraDUePIZi4= X-Google-Smtp-Source: ALg8bN67XRvr3CGZtt/NRgZqlWWCDjH4MISmyZLa9A8j01TofUlRil+KcPZR9dhLMgnCeECaIhKMgw== X-Received: by 2002:a62:5003:: with SMTP id e3mr17303241pfb.23.1547765604123; Thu, 17 Jan 2019 14:53:24 -0800 (PST) Received: from jkicinski-Precision-T1700.netronome.com ([66.60.152.14]) by smtp.gmail.com with ESMTPSA id j9sm3436324pfi.86.2019.01.17.14.53.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 17 Jan 2019 14:53:23 -0800 (PST) From: Jakub Kicinski To: davem@davemloft.net, dsahern@gmail.com Cc: netdev@vger.kernel.org, oss-drivers@netronome.com, Jakub Kicinski Subject: [PATCH net-next 13/13] net: mpls: netconf: perform strict checks also for doit handlers Date: Thu, 17 Jan 2019 14:53:00 -0800 Message-Id: <20190117225300.8006-14-jakub.kicinski@netronome.com> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20190117225300.8006-1-jakub.kicinski@netronome.com> References: <20190117225300.8006-1-jakub.kicinski@netronome.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Make RTM_GETNETCONF's doit handler use strict checks when NETLINK_F_STRICT_CHK is set. Signed-off-by: Jakub Kicinski --- net/mpls/af_mpls.c | 42 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 39 insertions(+), 3 deletions(-) diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c index 733c86db551b..2662a23c658e 100644 --- a/net/mpls/af_mpls.c +++ b/net/mpls/af_mpls.c @@ -1209,21 +1209,57 @@ static const struct nla_policy devconf_mpls_policy[NETCONFA_MAX + 1] = { [NETCONFA_IFINDEX] = { .len = sizeof(int) }, }; +static int mpls_netconf_valid_get_req(struct sk_buff *skb, + const struct nlmsghdr *nlh, + struct nlattr **tb, + struct netlink_ext_ack *extack) +{ + int i, err; + + if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(struct netconfmsg))) { + NL_SET_ERR_MSG_MOD(extack, + "Invalid header for netconf get request"); + return -EINVAL; + } + + if (!netlink_strict_get_check(skb)) + return nlmsg_parse(nlh, sizeof(struct netconfmsg), tb, + NETCONFA_MAX, devconf_mpls_policy, extack); + + err = nlmsg_parse_strict(nlh, sizeof(struct netconfmsg), tb, + NETCONFA_MAX, devconf_mpls_policy, extack); + if (err) + return err; + + for (i = 0; i <= NETCONFA_MAX; i++) { + if (!tb[i]) + continue; + + switch (i) { + case NETCONFA_IFINDEX: + break; + default: + NL_SET_ERR_MSG_MOD(extack, "Unsupported attribute in netconf get request"); + return -EINVAL; + } + } + + return 0; +} + static int mpls_netconf_get_devconf(struct sk_buff *in_skb, struct nlmsghdr *nlh, struct netlink_ext_ack *extack) { struct net *net = sock_net(in_skb->sk); struct nlattr *tb[NETCONFA_MAX + 1]; - struct netconfmsg *ncm; struct net_device *dev; struct mpls_dev *mdev; struct sk_buff *skb; int ifindex; int err; - err = nlmsg_parse(nlh, sizeof(*ncm), tb, NETCONFA_MAX, - devconf_mpls_policy, extack); + err = mpls_netconf_valid_get_req(in_skb, nlh, tb, extack); if (err < 0) goto errout;