On 6/4/18 4:46 PM, Eric Dumazet wrote:
> Before using nla_get_u32(), better make sure the attribute
> is of the proper size.
>
> Code recently was changed, but bug has been there from beginning
> of git.
>
...
>
> Fixes: a919525ad832 ("net: Move fib_convert_metrics to metrics file")
That commit just moved the code from 1 file to another. The previous
commit id is 6cf9dfd3bd62e, but it just moved code to a helper. The
originating commit id for the ip_metrics_convert bug is:
ea697639992d9 ("net: tcp: add RTAX_CC_ALGO fib handling")
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Eric Dumazet <eduma...@google.com>
> Reported-by: syzbot <syzkal...@googlegroups.com>
> Cc: David Ahern <dsah...@gmail.com>
> ---
> net/ipv4/fib_semantics.c | 2 ++
> net/ipv4/metrics.c | 2 ++
> 2 files changed, 4 insertions(+)
>
> diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
> index
> 6608db23f54b6afdac0455650b47d64b1b22b255..9a890be8a0265edb78da225a82e2cac120f2150f
> 100644
> --- a/net/ipv4/fib_semantics.c
> +++ b/net/ipv4/fib_semantics.c
> @@ -717,6 +717,8 @@ bool fib_metrics_match(struct fib_config *cfg, struct
> fib_info *fi)
> nla_strlcpy(tmp, nla, sizeof(tmp));
> val = tcp_ca_get_key_by_name(fi->fib_net, tmp, &ecn_ca);
> } else {
> + if (nla_len(nla) != sizeof(u32)
> + return false;
> val = nla_get_u32(nla);
> }
>
> diff --git a/net/ipv4/metrics.c b/net/ipv4/metrics.c
> index
> 5121c6475e6b0e9a9a158d4cee473f52cd4d8efe..04311f7067e2e9e3dafb89aa4f8e30dab0fde854
> 100644
> --- a/net/ipv4/metrics.c
> +++ b/net/ipv4/metrics.c
> @@ -32,6 +32,8 @@ int ip_metrics_convert(struct net *net, struct nlattr
> *fc_mx, int fc_mx_len,
> if (val == TCP_CA_UNSPEC)
> return -EINVAL;
> } else {
> + if (nla_len(nla) != sizeof(u32))
> + return -EINVAL;
> val = nla_get_u32(nla);
> }
> if (type == RTAX_ADVMSS && val > 65535 - 40)
>
