4 files changed, 21 insertions, 9 deletions
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 1fba6439fc57..fc920f63452b 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -493,6 +493,11 @@ static int rtm_to_fib_config(struct sk_buff *skb, struct nlmsghdr *nlh,
        cfg->fc_nlinfo.pid = NETLINK_CB(skb).pid;
        cfg->fc_nlinfo.nlh = nlh;
+        if (cfg->fc_type > RTN_MAX) {
+                err = -EINVAL;
+                goto errout;
+        }
        nlmsg_for_each_attr(attr, nlh, sizeof(struct rtmsg), remaining) {
                switch (attr->nla_type) {
                case RTA_DST:
diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
index b837c33e0404..c660c074c76c 100644
--- a/net/ipv4/fib_rules.c
+++ b/net/ipv4/fib_rules.c
@@ -171,8 +171,6 @@ static struct fib_table *fib_empty_table(void)
 static struct nla_policy fib4_rule_policy[FRA_MAX+1] __read_mostly = {
        FRA_GENERIC_POLICY,
-        [FRA_SRC]       = { .type = NLA_U32 },
-        [FRA_DST]       = { .type = NLA_U32 },
        [FRA_FLOW]      = { .type = NLA_U32 },
 };
@@ -183,8 +181,7 @@ static int fib4_rule_configure(struct fib_rule *rule, struct sk_buff *skb,
        int err = -EINVAL;
        struct fib4_rule *rule4 = (struct fib4_rule *) rule;
-        if (frh->src_len > 32 || frh->dst_len > 32 ||
+        if (frh->tos & ~IPTOS_TOS_MASK)
-            (frh->tos & ~IPTOS_TOS_MASK))
                goto errout;
        if (rule->table == RT_TABLE_UNSPEC) {
@@ -201,10 +198,10 @@ static int fib4_rule_configure(struct fib_rule *rule, struct sk_buff *skb,
                }
        }
-        if (tb[FRA_SRC])
+        if (frh->src_len)
                rule4->src = nla_get_be32(tb[FRA_SRC]);
-        if (tb[FRA_DST])
+        if (frh->dst_len)
                rule4->dst = nla_get_be32(tb[FRA_DST]);
 #ifdef CONFIG_NET_CLS_ROUTE
@@ -242,10 +239,10 @@ static int fib4_rule_compare(struct fib_rule *rule, struct fib_rule_hdr *frh,
                return 0;
 #endif
-        if (tb[FRA_SRC] && (rule4->src != nla_get_be32(tb[FRA_SRC])))
+        if (frh->src_len && (rule4->src != nla_get_be32(tb[FRA_SRC])))
                return 0;
-        if (tb[FRA_DST] && (rule4->dst != nla_get_be32(tb[FRA_DST])))
+        if (frh->dst_len && (rule4->dst != nla_get_be32(tb[FRA_DST])))
                return 0;
        return 1;
@@ -309,6 +306,7 @@ static size_t fib4_rule_nlmsg_payload(struct fib_rule *rule)
 static struct fib_rules_ops fib4_rules_ops = {
        .family         = AF_INET,
        .rule_size      = sizeof(struct fib4_rule),
+        .addr_size      = sizeof(u32),
        .action         = fib4_rule_action,
        .match          = fib4_rule_match,
        .configure      = fib4_rule_configure,
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index 2f1fdae6efa6..3dad12ee76c3 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -89,7 +89,7 @@ static const struct
 {
        int     error;
        u8      scope;
-} fib_props[RTA_MAX + 1] = {
+} fib_props[RTN_MAX + 1] = {
        {
                .error  = 0,
                .scope  = RT_SCOPE_NOWHERE,
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index ada9b3db507d..214c34732e84 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -1123,6 +1123,9 @@ err:
        return fa_head;
 }
+/*
+ * Caller must hold RTNL.
+ */
 static int fn_trie_insert(struct fib_table *tb, struct fib_config *cfg)
 {
        struct trie *t = (struct trie *) tb->tb_data;
@@ -1540,6 +1543,9 @@ static int trie_leaf_remove(struct trie *t, t_key key)
        return 1;
 }
+/*
+ * Caller must hold RTNL.
+ */
 static int fn_trie_delete(struct fib_table *tb, struct fib_config *cfg)
 {
        struct trie *t = (struct trie *) tb->tb_data;
@@ -1718,6 +1724,9 @@ up:
        return NULL; /* Ready. Root of trie */
 }
+/*
+ * Caller must hold RTNL.
+ */
 static int fn_trie_flush(struct fib_table *tb)
 {
        struct trie *t = (struct trie *) tb->tb_data;