This is a note to let you know that I've just added the patch titled ipv4: Check attribute length for RTA_FLOW in multipath route to the 5.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: ipv4-check-attribute-length-for-rta_flow-in-multipath-route.patch and it can be found in the queue-5.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 664b9c4b7392ce723b013201843264bf95481ce5 Mon Sep 17 00:00:00 2001 From: David Ahern <dsahern@xxxxxxxxxx> Date: Thu, 30 Dec 2021 17:36:32 -0700 Subject: ipv4: Check attribute length for RTA_FLOW in multipath route From: David Ahern <dsahern@xxxxxxxxxx> commit 664b9c4b7392ce723b013201843264bf95481ce5 upstream. Make sure RTA_FLOW is at least 4B before using. Fixes: 4e902c57417c ("[IPv4]: FIB configuration using struct fib_config") Signed-off-by: David Ahern <dsahern@xxxxxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/ipv4/fib_semantics.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) --- a/net/ipv4/fib_semantics.c +++ b/net/ipv4/fib_semantics.c @@ -731,8 +731,13 @@ static int fib_get_nhs(struct fib_info * } nla = nla_find(attrs, attrlen, RTA_FLOW); - if (nla) + if (nla) { + if (nla_len(nla) < sizeof(u32)) { + NL_SET_ERR_MSG(extack, "Invalid RTA_FLOW"); + return -EINVAL; + } fib_cfg.fc_flow = nla_get_u32(nla); + } fib_cfg.fc_encap = nla_find(attrs, attrlen, RTA_ENCAP); nla = nla_find(attrs, attrlen, RTA_ENCAP_TYPE); @@ -963,8 +968,14 @@ int fib_nh_match(struct net *net, struct #ifdef CONFIG_IP_ROUTE_CLASSID nla = nla_find(attrs, attrlen, RTA_FLOW); - if (nla && nla_get_u32(nla) != nh->nh_tclassid) - return 1; + if (nla) { + if (nla_len(nla) < sizeof(u32)) { + NL_SET_ERR_MSG(extack, "Invalid RTA_FLOW"); + return -EINVAL; + } + if (nla_get_u32(nla) != nh->nh_tclassid) + return 1; + } #endif } Patches currently in stable-queue which might be from dsahern@xxxxxxxxxx are queue-5.15/ipv4-check-attribute-length-for-rta_flow-in-multipath-route.patch queue-5.15/ipv6-check-attribute-length-for-rta_gateway-when-deleting-multipath-route.patch queue-5.15/ipv6-check-attribute-length-for-rta_gateway-in-multipath-route.patch queue-5.15/lwtunnel-validate-rta_encap_type-attribute-length.patch queue-5.15/ipv4-check-attribute-length-for-rta_gateway-in-multipath-route.patch