Skip to content

Commit

Permalink
net: ipmr/ip6mr: prevent out-of-bounds vif_table access
Browse files Browse the repository at this point in the history 
When cache is unresolved, c->mf[6]c_parent is set to 65535 and
minvif, maxvif are not initialized, hence we must avoid to
parse IIF and OIF.
A second problem can happen when the user dumps a cache entry
where a VIF, that was referenced at creation time, has been
removed.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
@davem330
Nicolas Dichtel authored and davem330 committed Mar 27, 2010
1 parent e7d481a commit 7438189
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 8 deletions.
11 changes: 7 additions & 4 deletions net/ipv4/ipmr.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1616,17 +1616,20 @@ ipmr_fill_mroute(struct sk_buff *skb, struct mfc_cache *c, struct rtmsg *rtm)
int ct;
struct rtnexthop *nhp;
struct net *net = mfc_net(c);
struct net_device *dev = net->ipv4.vif_table[c->mfc_parent].dev;
u8 *b = skb_tail_pointer(skb);
struct rtattr *mp_head;

if (dev)
RTA_PUT(skb, RTA_IIF, 4, &dev->ifindex);
/* If cache is unresolved, don't try to parse IIF and OIF */
if (c->mfc_parent > MAXVIFS)
return -ENOENT;

if (VIF_EXISTS(net, c->mfc_parent))
RTA_PUT(skb, RTA_IIF, 4, &net->ipv4.vif_table[c->mfc_parent].dev->ifindex);

mp_head = (struct rtattr *)skb_put(skb, RTA_LENGTH(0));

for (ct = c->mfc_un.res.minvif; ct < c->mfc_un.res.maxvif; ct++) {
if (c->mfc_un.res.ttls[ct] < 255) {
if (VIF_EXISTS(net, ct) && c->mfc_un.res.ttls[ct] < 255) {
if (skb_tailroom(skb) < RTA_ALIGN(RTA_ALIGN(sizeof(*nhp)) + 4))
goto rtattr_failure;
nhp = (struct rtnexthop *)skb_put(skb, RTA_ALIGN(sizeof(*nhp)));
Expand Down
11 changes: 7 additions & 4 deletions net/ipv6/ip6mr.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1695,17 +1695,20 @@ ip6mr_fill_mroute(struct sk_buff *skb, struct mfc6_cache *c, struct rtmsg *rtm)
int ct;
struct rtnexthop *nhp;
struct net *net = mfc6_net(c);
struct net_device *dev = net->ipv6.vif6_table[c->mf6c_parent].dev;
u8 *b = skb_tail_pointer(skb);
struct rtattr *mp_head;

if (dev)
RTA_PUT(skb, RTA_IIF, 4, &dev->ifindex);
/* If cache is unresolved, don't try to parse IIF and OIF */
if (c->mf6c_parent > MAXMIFS)
return -ENOENT;

if (MIF_EXISTS(net, c->mf6c_parent))
RTA_PUT(skb, RTA_IIF, 4, &net->ipv6.vif6_table[c->mf6c_parent].dev->ifindex);

mp_head = (struct rtattr *)skb_put(skb, RTA_LENGTH(0));

for (ct = c->mfc_un.res.minvif; ct < c->mfc_un.res.maxvif; ct++) {
if (c->mfc_un.res.ttls[ct] < 255) {
if (MIF_EXISTS(net, ct) && c->mfc_un.res.ttls[ct] < 255) {
if (skb_tailroom(skb) < RTA_ALIGN(RTA_ALIGN(sizeof(*nhp)) + 4))
goto rtattr_failure;
nhp = (struct rtnexthop *)skb_put(skb, RTA_ALIGN(sizeof(*nhp)));
Expand Down

0 comments on commit 7438189

Please sign in to comment.