Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 17 Feb 2023 18:16:43 GMT
From:      "Alexander V. Chernikov" <melifaro@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: f2f7911c5513 - main - netlink: validate rtable value in RTM_<NEW|DEL|GET>ROUTE.
Message-ID:  <202302171816.31HIGh5h054313@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by melifaro:

URL: https://cgit.FreeBSD.org/src/commit/?id=f2f7911c5513096e46422ad7756bc90c13c6e6d8

commit f2f7911c5513096e46422ad7756bc90c13c6e6d8
Author:     Alexander V. Chernikov <melifaro@FreeBSD.org>
AuthorDate: 2023-02-17 17:31:40 +0000
Commit:     Alexander V. Chernikov <melifaro@FreeBSD.org>
CommitDate: 2023-02-17 18:00:37 +0000

    netlink: validate rtable value in RTM_<NEW|DEL|GET>ROUTE.
    
    Reported by:    Stefan Grundmann <sg2342@googlemail.com>
    MFC after:      1 day
---
 sys/netlink/route/rt.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/sys/netlink/route/rt.c b/sys/netlink/route/rt.c
index 59b34c53ad4b..aca69e75fea8 100644
--- a/sys/netlink/route/rt.c
+++ b/sys/netlink/route/rt.c
@@ -840,6 +840,11 @@ rtnl_handle_newroute(struct nlmsghdr *hdr, struct nlpcb *nlp,
 		return (EINVAL);
 	}
 
+	if (attrs.rta_table >= V_rt_numfibs) {
+		NLMSG_REPORT_ERR_MSG(npt, "invalid fib");
+		return (EINVAL);
+	}
+
 	if (attrs.rta_nh_id != 0) {
 		/* Referenced uindex */
 		int pxflag = get_pxflag(&attrs);
@@ -898,6 +903,11 @@ rtnl_handle_delroute(struct nlmsghdr *hdr, struct nlpcb *nlp,
 		return (ESRCH);
 	}
 
+	if (attrs.rta_table >= V_rt_numfibs) {
+		NLMSG_REPORT_ERR_MSG(npt, "invalid fib");
+		return (EINVAL);
+	}
+
 	error = rib_del_route_px(attrs.rta_table, attrs.rta_dst,
 	    attrs.rtm_dst_len, path_match_func, &attrs, 0, &rc);
 	if (error == 0)
@@ -915,6 +925,11 @@ rtnl_handle_getroute(struct nlmsghdr *hdr, struct nlpcb *nlp, struct nl_pstate *
 	if (error != 0)
 		return (error);
 
+	if (attrs.rta_table >= V_rt_numfibs) {
+		NLMSG_REPORT_ERR_MSG(npt, "invalid fib");
+		return (EINVAL);
+	}
+
 	if (hdr->nlmsg_flags & NLM_F_DUMP)
 		error = handle_rtm_dump(nlp, attrs.rta_table, attrs.rtm_family, hdr, npt->nw);
 	else

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202302171816.31HIGh5h054313>