This is a note to let you know that I've just added the patch titled
lwtunnel: Validate RTA_ENCAP_TYPE attribute length
to the 5.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
lwtunnel-validate-rta_encap_type-attribute-length.patch
and it can be found in the queue-5.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 8bda81a4d400cf8a72e554012f0d8c45e07a3904 Mon Sep 17 00:00:00 2001
From: David Ahern <dsahern@xxxxxxxxxx>
Date: Thu, 30 Dec 2021 17:36:35 -0700
Subject: lwtunnel: Validate RTA_ENCAP_TYPE attribute length
From: David Ahern <dsahern@xxxxxxxxxx>
commit 8bda81a4d400cf8a72e554012f0d8c45e07a3904 upstream.
lwtunnel_valid_encap_type_attr is used to validate encap attributes
within a multipath route. Add length validation checking to the type.
lwtunnel_valid_encap_type_attr is called converting attributes to
fib{6,}_config struct which means it is used before fib_get_nhs,
ip6_route_multipath_add, and ip6_route_multipath_del - other
locations that use rtnh_ok and then nla_get_u16 on RTA_ENCAP_TYPE
attribute.
Fixes: 9ed59592e3e3 ("lwtunnel: fix autoload of lwt modules")
Signed-off-by: David Ahern <dsahern@xxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/core/lwtunnel.c | 4 ++++
net/ipv4/fib_semantics.c | 3 +++
net/ipv6/route.c | 4 ++++
3 files changed, 11 insertions(+)
--- a/net/core/lwtunnel.c
+++ b/net/core/lwtunnel.c
@@ -190,6 +190,10 @@ int lwtunnel_valid_encap_type_attr(struc
nla_entype = nla_find(attrs, attrlen, RTA_ENCAP_TYPE);
if (nla_entype) {
+ if (nla_len(nla_entype) < sizeof(u16)) {
+ NL_SET_ERR_MSG(extack, "Invalid RTA_ENCAP_TYPE");
+ return -EINVAL;
+ }
encap_type = nla_get_u16(nla_entype);
if (lwtunnel_valid_encap_type(encap_type,
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -732,6 +732,9 @@ static int fib_get_nhs(struct fib_info *
}
fib_cfg.fc_encap = nla_find(attrs, attrlen, RTA_ENCAP);
+ /* RTA_ENCAP_TYPE length checked in
+ * lwtunnel_valid_encap_type_attr
+ */
nla = nla_find(attrs, attrlen, RTA_ENCAP_TYPE);
if (nla)
fib_cfg.fc_encap_type = nla_get_u16(nla);
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -5156,6 +5156,10 @@ static int ip6_route_multipath_add(struc
r_cfg.fc_flags |= RTF_GATEWAY;
}
r_cfg.fc_encap = nla_find(attrs, attrlen, RTA_ENCAP);
+
+ /* RTA_ENCAP_TYPE length checked in
+ * lwtunnel_valid_encap_type_attr
+ */
nla = nla_find(attrs, attrlen, RTA_ENCAP_TYPE);
if (nla)
r_cfg.fc_encap_type = nla_get_u16(nla);
Patches currently in stable-queue which might be from dsahern@xxxxxxxxxx are
queue-5.4/ipv4-check-attribute-length-for-rta_flow-in-multipath-route.patch
queue-5.4/ipv6-check-attribute-length-for-rta_gateway-when-deleting-multipath-route.patch
queue-5.4/ipv6-check-attribute-length-for-rta_gateway-in-multipath-route.patch
queue-5.4/lwtunnel-validate-rta_encap_type-attribute-length.patch
queue-5.4/ipv4-check-attribute-length-for-rta_gateway-in-multipath-route.patch
