d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

netlink: validate rtable value in RTM_<NEW|DEL|GET>ROUTE.

Browse Source 
Reported by:	Stefan Grundmann <sg2342@googlemail.com>
MFC after:	1 day
This commit is contained in:
Alexander V. Chernikov 2023-02-17 17:31:40 +00:00
parent a0aa160b6d
commit f2f7911c55
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
sys/netlink/route/rt.c
View File

@ -840,6 +840,11 @@ rtnl_handle_newroute(struct nlmsghdr *hdr, struct nlpcb *nlp,
return (EINVAL);
}
if (attrs.rta_table >= V_rt_numfibs) {
NLMSG_REPORT_ERR_MSG(npt, "invalid fib");
return (EINVAL);
}
if (attrs.rta_nh_id != 0) {
/* Referenced uindex */
int pxflag = get_pxflag(&attrs);
@ -898,6 +903,11 @@ rtnl_handle_delroute(struct nlmsghdr *hdr, struct nlpcb *nlp,
return (ESRCH);
}
if (attrs.rta_table >= V_rt_numfibs) {
NLMSG_REPORT_ERR_MSG(npt, "invalid fib");
return (EINVAL);
}
error = rib_del_route_px(attrs.rta_table, attrs.rta_dst,
attrs.rtm_dst_len, path_match_func, &attrs, 0, &rc);
if (error == 0)
@ -915,6 +925,11 @@ rtnl_handle_getroute(struct nlmsghdr *hdr, struct nlpcb *nlp, struct nl_pstate *
if (error != 0)
return (error);
if (attrs.rta_table >= V_rt_numfibs) {
NLMSG_REPORT_ERR_MSG(npt, "invalid fib");
return (EINVAL);
}
if (hdr->nlmsg_flags & NLM_F_DUMP)
error = handle_rtm_dump(nlp, attrs.rta_table, attrs.rtm_family, hdr, npt->nw);
else