git: f2f7911c5513 - main - netlink: validate rtable value in RTM_<NEW|DEL|GET>ROUTE.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 17 Feb 2023 18:16:43 UTC
The branch main has been updated by melifaro: URL: https://cgit.FreeBSD.org/src/commit/?id=f2f7911c5513096e46422ad7756bc90c13c6e6d8 commit f2f7911c5513096e46422ad7756bc90c13c6e6d8 Author: Alexander V. Chernikov <melifaro@FreeBSD.org> AuthorDate: 2023-02-17 17:31:40 +0000 Commit: Alexander V. Chernikov <melifaro@FreeBSD.org> CommitDate: 2023-02-17 18:00:37 +0000 netlink: validate rtable value in RTM_<NEW|DEL|GET>ROUTE. Reported by: Stefan Grundmann <sg2342@googlemail.com> MFC after: 1 day --- sys/netlink/route/rt.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/sys/netlink/route/rt.c b/sys/netlink/route/rt.c index 59b34c53ad4b..aca69e75fea8 100644 --- a/sys/netlink/route/rt.c +++ b/sys/netlink/route/rt.c @@ -840,6 +840,11 @@ rtnl_handle_newroute(struct nlmsghdr *hdr, struct nlpcb *nlp, return (EINVAL); } + if (attrs.rta_table >= V_rt_numfibs) { + NLMSG_REPORT_ERR_MSG(npt, "invalid fib"); + return (EINVAL); + } + if (attrs.rta_nh_id != 0) { /* Referenced uindex */ int pxflag = get_pxflag(&attrs); @@ -898,6 +903,11 @@ rtnl_handle_delroute(struct nlmsghdr *hdr, struct nlpcb *nlp, return (ESRCH); } + if (attrs.rta_table >= V_rt_numfibs) { + NLMSG_REPORT_ERR_MSG(npt, "invalid fib"); + return (EINVAL); + } + error = rib_del_route_px(attrs.rta_table, attrs.rta_dst, attrs.rtm_dst_len, path_match_func, &attrs, 0, &rc); if (error == 0) @@ -915,6 +925,11 @@ rtnl_handle_getroute(struct nlmsghdr *hdr, struct nlpcb *nlp, struct nl_pstate * if (error != 0) return (error); + if (attrs.rta_table >= V_rt_numfibs) { + NLMSG_REPORT_ERR_MSG(npt, "invalid fib"); + return (EINVAL); + } + if (hdr->nlmsg_flags & NLM_F_DUMP) error = handle_rtm_dump(nlp, attrs.rta_table, attrs.rtm_family, hdr, npt->nw); else