On Sun, Jan 09, 2022 at 10:30:59AM +0100, Pavel Machek wrote:
> Hi!
>
> > The patch below does not apply to the 4.4-stable tree.
> > If someone wants it applied there, or to any other stable or longterm
> > tree, then please email the backport, including the original git commit
> > id to <stable@xxxxxxxxxxxxxxx>.
>
> I could not find better place to reply.
>
> I see this patch is queued for 5.10 and 4.19. But it is wrong:
>
> > >From 4619bcf91399f00a40885100fb61d594d8454033 Mon Sep 17 00:00:00 2001
> > From: David Ahern <dsahern@xxxxxxxxxx>
> > Date: Thu, 30 Dec 2021 17:36:33 -0700
> > Subject: [PATCH] ipv6: Check attribute length for RTA_GATEWAY in multipath
> > route
> >
> > Commit referenced in the Fixes tag used nla_memcpy for RTA_GATEWAY as
> > does the current nla_get_in6_addr. nla_memcpy protects against accessing
> > memory greater than what is in the attribute, but there is no check
> > requiring the attribute to have an IPv6 address. Add it.
> >
> > Fixes: 51ebd3181572 ("ipv6: add support of equal cost multipath
> > (ECMP)")
>
> ...> @@ -5264,7 +5277,13 @@ static int ip6_route_multipath_add(struct fib6_config *cfg,
> >
> > nla = nla_find(attrs, attrlen, RTA_GATEWAY);
> > if (nla) {
> > - r_cfg.fc_gateway = nla_get_in6_addr(nla);
> > + int ret;
> > +
> > + ret = fib6_gw_from_attr(&r_cfg.fc_gateway, nla,
> > + extack);
> > + if (ret)
> > + return ret;
> > +
>
> Direct return may not be used here. It needs to goto cleanup.
>
> It is already fixed in mainline, so you can probably just cherry-pick
> followup patch, too.
What is the follow-up patch git id?
thanks,
greg k-h
