diff options
| -rw-r--r-- | include/net/fib_rules.h | 1 | ||||
| -rw-r--r-- | net/core/fib_rules.c | 30 | ||||
| -rw-r--r-- | net/decnet/dn_rules.c | 13 | ||||
| -rw-r--r-- | net/ipv4/fib_rules.c | 14 | ||||
| -rw-r--r-- | net/ipv6/fib6_rules.c | 14 |
5 files changed, 48 insertions, 24 deletions
diff --git a/include/net/fib_rules.h b/include/net/fib_rules.h index bc3c26494c3d..d585ea9fa97d 100644 --- a/include/net/fib_rules.h +++ b/include/net/fib_rules.h | |||
| @@ -34,6 +34,7 @@ struct fib_rules_ops | |||
| 34 | int family; | 34 | int family; |
| 35 | struct list_head list; | 35 | struct list_head list; |
| 36 | int rule_size; | 36 | int rule_size; |
| 37 | int addr_size; | ||
| 37 | 38 | ||
| 38 | int (*action)(struct fib_rule *, | 39 | int (*action)(struct fib_rule *, |
| 39 | struct flowi *, int, | 40 | struct flowi *, int, |
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c index 3aea4e87d3d7..d011819a8058 100644 --- a/net/core/fib_rules.c +++ b/net/core/fib_rules.c | |||
| @@ -152,6 +152,28 @@ out: | |||
| 152 | 152 | ||
| 153 | EXPORT_SYMBOL_GPL(fib_rules_lookup); | 153 | EXPORT_SYMBOL_GPL(fib_rules_lookup); |
| 154 | 154 | ||
| 155 | static int validate_rulemsg(struct fib_rule_hdr *frh, struct nlattr **tb, | ||
| 156 | struct fib_rules_ops *ops) | ||
| 157 | { | ||
| 158 | int err = -EINVAL; | ||
| 159 | |||
| 160 | if (frh->src_len) | ||
| 161 | if (tb[FRA_SRC] == NULL || | ||
| 162 | frh->src_len > (ops->addr_size * 8) || | ||
| 163 | nla_len(tb[FRA_SRC]) != ops->addr_size) | ||
| 164 | goto errout; | ||
| 165 | |||
| 166 | if (frh->dst_len) | ||
| 167 | if (tb[FRA_DST] == NULL || | ||
| 168 | frh->dst_len > (ops->addr_size * 8) || | ||
| 169 | nla_len(tb[FRA_DST]) != ops->addr_size) | ||
| 170 | goto errout; | ||
| 171 | |||
| 172 | err = 0; | ||
| 173 | errout: | ||
| 174 | return err; | ||
| 175 | } | ||
| 176 | |||
| 155 | int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) | 177 | int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) |
| 156 | { | 178 | { |
| 157 | struct fib_rule_hdr *frh = nlmsg_data(nlh); | 179 | struct fib_rule_hdr *frh = nlmsg_data(nlh); |
| @@ -173,6 +195,10 @@ int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) | |||
| 173 | if (err < 0) | 195 | if (err < 0) |
| 174 | goto errout; | 196 | goto errout; |
| 175 | 197 | ||
| 198 | err = validate_rulemsg(frh, tb, ops); | ||
| 199 | if (err < 0) | ||
| 200 | goto errout; | ||
| 201 | |||
| 176 | rule = kzalloc(ops->rule_size, GFP_KERNEL); | 202 | rule = kzalloc(ops->rule_size, GFP_KERNEL); |
| 177 | if (rule == NULL) { | 203 | if (rule == NULL) { |
| 178 | err = -ENOMEM; | 204 | err = -ENOMEM; |
| @@ -260,6 +286,10 @@ int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) | |||
| 260 | if (err < 0) | 286 | if (err < 0) |
| 261 | goto errout; | 287 | goto errout; |
| 262 | 288 | ||
| 289 | err = validate_rulemsg(frh, tb, ops); | ||
| 290 | if (err < 0) | ||
| 291 | goto errout; | ||
| 292 | |||
| 263 | list_for_each_entry(rule, ops->rules_list, list) { | 293 | list_for_each_entry(rule, ops->rules_list, list) { |
| 264 | if (frh->action && (frh->action != rule->action)) | 294 | if (frh->action && (frh->action != rule->action)) |
| 265 | continue; | 295 | continue; |
diff --git a/net/decnet/dn_rules.c b/net/decnet/dn_rules.c index b6c98ac93dc8..5e86dd542302 100644 --- a/net/decnet/dn_rules.c +++ b/net/decnet/dn_rules.c | |||
| @@ -109,8 +109,6 @@ errout: | |||
| 109 | 109 | ||
| 110 | static struct nla_policy dn_fib_rule_policy[FRA_MAX+1] __read_mostly = { | 110 | static struct nla_policy dn_fib_rule_policy[FRA_MAX+1] __read_mostly = { |
| 111 | FRA_GENERIC_POLICY, | 111 | FRA_GENERIC_POLICY, |
| 112 | [FRA_SRC] = { .type = NLA_U16 }, | ||
| 113 | [FRA_DST] = { .type = NLA_U16 }, | ||
| 114 | }; | 112 | }; |
| 115 | 113 | ||
| 116 | static int dn_fib_rule_match(struct fib_rule *rule, struct flowi *fl, int flags) | 114 | static int dn_fib_rule_match(struct fib_rule *rule, struct flowi *fl, int flags) |
| @@ -133,7 +131,7 @@ static int dn_fib_rule_configure(struct fib_rule *rule, struct sk_buff *skb, | |||
| 133 | int err = -EINVAL; | 131 | int err = -EINVAL; |
| 134 | struct dn_fib_rule *r = (struct dn_fib_rule *)rule; | 132 | struct dn_fib_rule *r = (struct dn_fib_rule *)rule; |
| 135 | 133 | ||
| 136 | if (frh->src_len > 16 || frh->dst_len > 16 || frh->tos) | 134 | if (frh->tos) |
| 137 | goto errout; | 135 | goto errout; |
| 138 | 136 | ||
| 139 | if (rule->table == RT_TABLE_UNSPEC) { | 137 | if (rule->table == RT_TABLE_UNSPEC) { |
| @@ -150,10 +148,10 @@ static int dn_fib_rule_configure(struct fib_rule *rule, struct sk_buff *skb, | |||
| 150 | } | 148 | } |
| 151 | } | 149 | } |
| 152 | 150 | ||
| 153 | if (tb[FRA_SRC]) | 151 | if (frh->src_len) |
| 154 | r->src = nla_get_le16(tb[FRA_SRC]); | 152 | r->src = nla_get_le16(tb[FRA_SRC]); |
| 155 | 153 | ||
| 156 | if (tb[FRA_DST]) | 154 | if (frh->dst_len) |
| 157 | r->dst = nla_get_le16(tb[FRA_DST]); | 155 | r->dst = nla_get_le16(tb[FRA_DST]); |
| 158 | 156 | ||
| 159 | r->src_len = frh->src_len; | 157 | r->src_len = frh->src_len; |
| @@ -176,10 +174,10 @@ static int dn_fib_rule_compare(struct fib_rule *rule, struct fib_rule_hdr *frh, | |||
| 176 | if (frh->dst_len && (r->dst_len != frh->dst_len)) | 174 | if (frh->dst_len && (r->dst_len != frh->dst_len)) |
| 177 | return 0; | 175 | return 0; |
| 178 | 176 | ||
| 179 | if (tb[FRA_SRC] && (r->src != nla_get_le16(tb[FRA_SRC]))) | 177 | if (frh->src_len && (r->src != nla_get_le16(tb[FRA_SRC]))) |
| 180 | return 0; | 178 | return 0; |
| 181 | 179 | ||
| 182 | if (tb[FRA_DST] && (r->dst != nla_get_le16(tb[FRA_DST]))) | 180 | if (frh->dst_len && (r->dst != nla_get_le16(tb[FRA_DST]))) |
| 183 | return 0; | 181 | return 0; |
| 184 | 182 | ||
| 185 | return 1; | 183 | return 1; |
| @@ -249,6 +247,7 @@ int dn_fib_dump_rules(struct sk_buff *skb, struct netlink_callback *cb) | |||
| 249 | static struct fib_rules_ops dn_fib_rules_ops = { | 247 | static struct fib_rules_ops dn_fib_rules_ops = { |
| 250 | .family = AF_DECnet, | 248 | .family = AF_DECnet, |
| 251 | .rule_size = sizeof(struct dn_fib_rule), | 249 | .rule_size = sizeof(struct dn_fib_rule), |
| 250 | .addr_size = sizeof(u16), | ||
| 252 | .action = dn_fib_rule_action, | 251 | .action = dn_fib_rule_action, |
| 253 | .match = dn_fib_rule_match, | 252 | .match = dn_fib_rule_match, |
| 254 | .configure = dn_fib_rule_configure, | 253 | .configure = dn_fib_rule_configure, |
diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c index b837c33e0404..c660c074c76c 100644 --- a/net/ipv4/fib_rules.c +++ b/net/ipv4/fib_rules.c | |||
| @@ -171,8 +171,6 @@ static struct fib_table *fib_empty_table(void) | |||
| 171 | 171 | ||
| 172 | static struct nla_policy fib4_rule_policy[FRA_MAX+1] __read_mostly = { | 172 | static struct nla_policy fib4_rule_policy[FRA_MAX+1] __read_mostly = { |
| 173 | FRA_GENERIC_POLICY, | 173 | FRA_GENERIC_POLICY, |
| 174 | [FRA_SRC] = { .type = NLA_U32 }, | ||
| 175 | [FRA_DST] = { .type = NLA_U32 }, | ||
| 176 | [FRA_FLOW] = { .type = NLA_U32 }, | 174 | [FRA_FLOW] = { .type = NLA_U32 }, |
| 177 | }; | 175 | }; |
| 178 | 176 | ||
| @@ -183,8 +181,7 @@ static int fib4_rule_configure(struct fib_rule *rule, struct sk_buff *skb, | |||
| 183 | int err = -EINVAL; | 181 | int err = -EINVAL; |
| 184 | struct fib4_rule *rule4 = (struct fib4_rule *) rule; | 182 | struct fib4_rule *rule4 = (struct fib4_rule *) rule; |
| 185 | 183 | ||
| 186 | if (frh->src_len > 32 || frh->dst_len > 32 || | 184 | if (frh->tos & ~IPTOS_TOS_MASK) |
| 187 | (frh->tos & ~IPTOS_TOS_MASK)) | ||
| 188 | goto errout; | 185 | goto errout; |
| 189 | 186 | ||
| 190 | if (rule->table == RT_TABLE_UNSPEC) { | 187 | if (rule->table == RT_TABLE_UNSPEC) { |
| @@ -201,10 +198,10 @@ static int fib4_rule_configure(struct fib_rule *rule, struct sk_buff *skb, | |||
| 201 | } | 198 | } |
| 202 | } | 199 | } |
| 203 | 200 | ||
| 204 | if (tb[FRA_SRC]) | 201 | if (frh->src_len) |
| 205 | rule4->src = nla_get_be32(tb[FRA_SRC]); | 202 | rule4->src = nla_get_be32(tb[FRA_SRC]); |
| 206 | 203 | ||
| 207 | if (tb[FRA_DST]) | 204 | if (frh->dst_len) |
| 208 | rule4->dst = nla_get_be32(tb[FRA_DST]); | 205 | rule4->dst = nla_get_be32(tb[FRA_DST]); |
| 209 | 206 | ||
| 210 | #ifdef CONFIG_NET_CLS_ROUTE | 207 | #ifdef CONFIG_NET_CLS_ROUTE |
| @@ -242,10 +239,10 @@ static int fib4_rule_compare(struct fib_rule *rule, struct fib_rule_hdr *frh, | |||
| 242 | return 0; | 239 | return 0; |
| 243 | #endif | 240 | #endif |
| 244 | 241 | ||
| 245 | if (tb[FRA_SRC] && (rule4->src != nla_get_be32(tb[FRA_SRC]))) | 242 | if (frh->src_len && (rule4->src != nla_get_be32(tb[FRA_SRC]))) |
| 246 | return 0; | 243 | return 0; |
| 247 | 244 | ||
| 248 | if (tb[FRA_DST] && (rule4->dst != nla_get_be32(tb[FRA_DST]))) | 245 | if (frh->dst_len && (rule4->dst != nla_get_be32(tb[FRA_DST]))) |
| 249 | return 0; | 246 | return 0; |
| 250 | 247 | ||
| 251 | return 1; | 248 | return 1; |
| @@ -309,6 +306,7 @@ static size_t fib4_rule_nlmsg_payload(struct fib_rule *rule) | |||
| 309 | static struct fib_rules_ops fib4_rules_ops = { | 306 | static struct fib_rules_ops fib4_rules_ops = { |
| 310 | .family = AF_INET, | 307 | .family = AF_INET, |
| 311 | .rule_size = sizeof(struct fib4_rule), | 308 | .rule_size = sizeof(struct fib4_rule), |
| 309 | .addr_size = sizeof(u32), | ||
| 312 | .action = fib4_rule_action, | 310 | .action = fib4_rule_action, |
| 313 | .match = fib4_rule_match, | 311 | .match = fib4_rule_match, |
| 314 | .configure = fib4_rule_configure, | 312 | .configure = fib4_rule_configure, |
diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c index 0862809ffcf7..ea3035b4e3e8 100644 --- a/net/ipv6/fib6_rules.c +++ b/net/ipv6/fib6_rules.c | |||
| @@ -131,8 +131,6 @@ static int fib6_rule_match(struct fib_rule *rule, struct flowi *fl, int flags) | |||
| 131 | 131 | ||
| 132 | static struct nla_policy fib6_rule_policy[FRA_MAX+1] __read_mostly = { | 132 | static struct nla_policy fib6_rule_policy[FRA_MAX+1] __read_mostly = { |
| 133 | FRA_GENERIC_POLICY, | 133 | FRA_GENERIC_POLICY, |
| 134 | [FRA_SRC] = { .len = sizeof(struct in6_addr) }, | ||
| 135 | [FRA_DST] = { .len = sizeof(struct in6_addr) }, | ||
| 136 | }; | 134 | }; |
| 137 | 135 | ||
| 138 | static int fib6_rule_configure(struct fib_rule *rule, struct sk_buff *skb, | 136 | static int fib6_rule_configure(struct fib_rule *rule, struct sk_buff *skb, |
| @@ -142,9 +140,6 @@ static int fib6_rule_configure(struct fib_rule *rule, struct sk_buff *skb, | |||
| 142 | int err = -EINVAL; | 140 | int err = -EINVAL; |
| 143 | struct fib6_rule *rule6 = (struct fib6_rule *) rule; | 141 | struct fib6_rule *rule6 = (struct fib6_rule *) rule; |
| 144 | 142 | ||
| 145 | if (frh->src_len > 128 || frh->dst_len > 128) | ||
| 146 | goto errout; | ||
| 147 | |||
| 148 | if (rule->action == FR_ACT_TO_TBL) { | 143 | if (rule->action == FR_ACT_TO_TBL) { |
| 149 | if (rule->table == RT6_TABLE_UNSPEC) | 144 | if (rule->table == RT6_TABLE_UNSPEC) |
| 150 | goto errout; | 145 | goto errout; |
| @@ -155,11 +150,11 @@ static int fib6_rule_configure(struct fib_rule *rule, struct sk_buff *skb, | |||
| 155 | } | 150 | } |
| 156 | } | 151 | } |
| 157 | 152 | ||
| 158 | if (tb[FRA_SRC]) | 153 | if (frh->src_len) |
| 159 | nla_memcpy(&rule6->src.addr, tb[FRA_SRC], | 154 | nla_memcpy(&rule6->src.addr, tb[FRA_SRC], |
| 160 | sizeof(struct in6_addr)); | 155 | sizeof(struct in6_addr)); |
| 161 | 156 | ||
| 162 | if (tb[FRA_DST]) | 157 | if (frh->dst_len) |
| 163 | nla_memcpy(&rule6->dst.addr, tb[FRA_DST], | 158 | nla_memcpy(&rule6->dst.addr, tb[FRA_DST], |
| 164 | sizeof(struct in6_addr)); | 159 | sizeof(struct in6_addr)); |
| 165 | 160 | ||
| @@ -186,11 +181,11 @@ static int fib6_rule_compare(struct fib_rule *rule, struct fib_rule_hdr *frh, | |||
| 186 | if (frh->tos && (rule6->tclass != frh->tos)) | 181 | if (frh->tos && (rule6->tclass != frh->tos)) |
| 187 | return 0; | 182 | return 0; |
| 188 | 183 | ||
| 189 | if (tb[FRA_SRC] && | 184 | if (frh->src_len && |
| 190 | nla_memcmp(tb[FRA_SRC], &rule6->src.addr, sizeof(struct in6_addr))) | 185 | nla_memcmp(tb[FRA_SRC], &rule6->src.addr, sizeof(struct in6_addr))) |
| 191 | return 0; | 186 | return 0; |
| 192 | 187 | ||
| 193 | if (tb[FRA_DST] && | 188 | if (frh->dst_len && |
| 194 | nla_memcmp(tb[FRA_DST], &rule6->dst.addr, sizeof(struct in6_addr))) | 189 | nla_memcmp(tb[FRA_DST], &rule6->dst.addr, sizeof(struct in6_addr))) |
| 195 | return 0; | 190 | return 0; |
| 196 | 191 | ||
| @@ -240,6 +235,7 @@ static size_t fib6_rule_nlmsg_payload(struct fib_rule *rule) | |||
| 240 | static struct fib_rules_ops fib6_rules_ops = { | 235 | static struct fib_rules_ops fib6_rules_ops = { |
| 241 | .family = AF_INET6, | 236 | .family = AF_INET6, |
| 242 | .rule_size = sizeof(struct fib6_rule), | 237 | .rule_size = sizeof(struct fib6_rule), |
| 238 | .addr_size = sizeof(struct in6_addr), | ||
| 243 | .action = fib6_rule_action, | 239 | .action = fib6_rule_action, |
| 244 | .match = fib6_rule_match, | 240 | .match = fib6_rule_match, |
| 245 | .configure = fib6_rule_configure, | 241 | .configure = fib6_rule_configure, |