Currently the nexthop code will use an empty NHA_GROUP attribute, but it
requires at least 1 entry in order to function properly. Otherwise we
end up derefencing NULL pointers all over the place due to not having
any nh_grp_entry members allocated, nexthop code relies on having at least
the first member present. Empty NHA_GROUP doesn't make any sense so just
disallow it.
Also add a WARN_ON for any future users of nexthop_create_group().
CC: David Ahern <dsah...@gmail.com>
Reported-by: syzbot+a61aa19b0c14c8770...@syzkaller.appspotmail.com
Fixes: 430a049190de ("nexthop: Add support for nexthop groups")
Signed-off-by: Nikolay Aleksandrov <niko...@cumulusnetworks.com>
---
Tested on 5.3 and latest -net by adding a nexthop with an empty NHA_GROUP
(purposefully broken iproute2) and then adding a route which uses it.
net/ipv4/nexthop.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
index cc8049b100b2..134e92382275 100644
--- a/net/ipv4/nexthop.c
+++ b/net/ipv4/nexthop.c
@@ -446,7 +446,7 @@ static int nh_check_attr_group(struct net *net, struct
nlattr *tb[],
unsigned int i, j;
u8 nhg_fdb = 0;
- if (len & (sizeof(struct nexthop_grp) - 1)) {
+ if (!len || len & (sizeof(struct nexthop_grp) - 1)) {
NL_SET_ERR_MSG(extack,
"Invalid length for nexthop group attribute");
return -EINVAL;
@@ -1187,6 +1187,9 @@ static struct nexthop *nexthop_create_group(struct net
*net,
struct nexthop *nh;
int i;
+ if (WARN_ON(!num_nh))
+ return ERR_PTR(-EINVAL);
+
nh = nexthop_alloc();
if (!nh)
return ERR_PTR(-ENOMEM);
--
2.26.2
