git: e28e779b1f4e - releng/13.2 - netlink: validate rtable value in RTM_<NEW|DEL|GET>ROUTE.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 20 Feb 2023 20:13:10 UTC
The branch releng/13.2 has been updated by melifaro:
URL: https://cgit.FreeBSD.org/src/commit/?id=e28e779b1f4ebef32070e06854336cdf15ad095d
commit e28e779b1f4ebef32070e06854336cdf15ad095d
Author: Alexander V. Chernikov <melifaro@FreeBSD.org>
AuthorDate: 2023-02-17 17:31:40 +0000
Commit: Alexander V. Chernikov <melifaro@FreeBSD.org>
CommitDate: 2023-02-20 19:48:35 +0000
netlink: validate rtable value in RTM_<NEW|DEL|GET>ROUTE.
Reported by: Stefan Grundmann <sg2342@googlemail.com>
Approved by: re(cperciva)
MFC after: 1 day
(cherry picked from commit f2f7911c5513096e46422ad7756bc90c13c6e6d8)
(cherry picked from commit e9296dc1bcd21cd9d719389cd04235ce4513e84d)
---
sys/netlink/route/rt.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/sys/netlink/route/rt.c b/sys/netlink/route/rt.c
index 59b34c53ad4b..aca69e75fea8 100644
--- a/sys/netlink/route/rt.c
+++ b/sys/netlink/route/rt.c
@@ -840,6 +840,11 @@ rtnl_handle_newroute(struct nlmsghdr *hdr, struct nlpcb *nlp,
return (EINVAL);
}
+ if (attrs.rta_table >= V_rt_numfibs) {
+ NLMSG_REPORT_ERR_MSG(npt, "invalid fib");
+ return (EINVAL);
+ }
+
if (attrs.rta_nh_id != 0) {
/* Referenced uindex */
int pxflag = get_pxflag(&attrs);
@@ -898,6 +903,11 @@ rtnl_handle_delroute(struct nlmsghdr *hdr, struct nlpcb *nlp,
return (ESRCH);
}
+ if (attrs.rta_table >= V_rt_numfibs) {
+ NLMSG_REPORT_ERR_MSG(npt, "invalid fib");
+ return (EINVAL);
+ }
+
error = rib_del_route_px(attrs.rta_table, attrs.rta_dst,
attrs.rtm_dst_len, path_match_func, &attrs, 0, &rc);
if (error == 0)
@@ -915,6 +925,11 @@ rtnl_handle_getroute(struct nlmsghdr *hdr, struct nlpcb *nlp, struct nl_pstate *
if (error != 0)
return (error);
+ if (attrs.rta_table >= V_rt_numfibs) {
+ NLMSG_REPORT_ERR_MSG(npt, "invalid fib");
+ return (EINVAL);
+ }
+
if (hdr->nlmsg_flags & NLM_F_DUMP)
error = handle_rtm_dump(nlp, attrs.rta_table, attrs.rtm_family, hdr, npt->nw);
else