diff options
| author | David Ahern <dsahern@kernel.org> | 2021-12-30 17:36:35 -0700 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2022-01-11 15:35:14 +0100 |
| commit | 41844e68eb92afb935bd0e3366edc6df83b07f26 (patch) | |
| tree | 2cf7f736b7cb011f0d00658666fa77d766f63fa2 /net/ipv6 | |
| parent | ca0097c543fc65c29c55f1a98b40e9785079737b (diff) | |
| download | linux-stable-41844e68eb92afb935bd0e3366edc6df83b07f26.tar.gz linux-stable-41844e68eb92afb935bd0e3366edc6df83b07f26.tar.bz2 linux-stable-41844e68eb92afb935bd0e3366edc6df83b07f26.zip | |
lwtunnel: Validate RTA_ENCAP_TYPE attribute length
commit 8bda81a4d400cf8a72e554012f0d8c45e07a3904 upstream.
lwtunnel_valid_encap_type_attr is used to validate encap attributes
within a multipath route. Add length validation checking to the type.
lwtunnel_valid_encap_type_attr is called converting attributes to
fib{6,}_config struct which means it is used before fib_get_nhs,
ip6_route_multipath_add, and ip6_route_multipath_del - other
locations that use rtnh_ok and then nla_get_u16 on RTA_ENCAP_TYPE
attribute.
Fixes: 9ed59592e3e3 ("lwtunnel: fix autoload of lwt modules")
Signed-off-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net/ipv6')
| -rw-r--r-- | net/ipv6/route.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/net/ipv6/route.c b/net/ipv6/route.c index 5611592e0e83..d050e0f5baa4 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -5287,6 +5287,10 @@ static int ip6_route_multipath_add(struct fib6_config *cfg, r_cfg.fc_flags |= RTF_GATEWAY; } r_cfg.fc_encap = nla_find(attrs, attrlen, RTA_ENCAP); + + /* RTA_ENCAP_TYPE length checked in + * lwtunnel_valid_encap_type_attr + */ nla = nla_find(attrs, attrlen, RTA_ENCAP_TYPE); if (nla) r_cfg.fc_encap_type = nla_get_u16(nla); |