lwtunnel: Validate RTA_ENCAP_TYPE attribute length

commit 8bda81a4d400cf8a72e554012f0d8c45e07a3904 upstream. lwtunnel_valid_encap_type_attr is used to validate encap attributes within a multipath route. Add length validation checking to the type. lwtunnel_valid_encap_type_attr is called converting attributes to fib{6,}_config struct which means it is used before fib_get_nhs, ip6_route_multipath_add, and ip6_route_multipath_del - other locations that use rtnh_ok and then nla_get_u16 on RTA_ENCAP_TYPE attribute. Fixes: 9ed59592e3e3 ("lwtunnel: fix autoload of lwt modules") Signed-off-by: David Ahern <dsahern@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: David Ahern <dsahern@kernel.org> 2021-12-30 17:36:35 -0700
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-01-11 15:25:00 +0100
commit: f403b5f96e9a153f00d1f3503b4e4dbb066601f8 (patch)
tree: aca8a782694d20e12fcabd0b9729f19f24568219 /net/ipv4/fib_semantics.c
parent: 48d5adb08d60116e9d05f01dcdbe698b5d54cdbb (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index 72782843d575..ab6a8f35d369 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -741,6 +741,9 @@ static int fib_get_nhs(struct fib_info *fi, struct rtnexthop *rtnh,
 			}
 
 			fib_cfg.fc_encap = nla_find(attrs, attrlen, RTA_ENCAP);
+			/* RTA_ENCAP_TYPE length checked in
+			 * lwtunnel_valid_encap_type_attr
+			 */
 			nla = nla_find(attrs, attrlen, RTA_ENCAP_TYPE);
 			if (nla)
 				fib_cfg.fc_encap_type = nla_get_u16(nla);
author	David Ahern <dsahern@kernel.org>	2021-12-30 17:36:35 -0700
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2022-01-11 15:25:00 +0100
commit	f403b5f96e9a153f00d1f3503b4e4dbb066601f8 (patch)
tree	aca8a782694d20e12fcabd0b9729f19f24568219 /net/ipv4/fib_semantics.c
parent	48d5adb08d60116e9d05f01dcdbe698b5d54cdbb (diff)