Paths

Table of Contentst

Differential D56963

rtnetlink: Align RTA_MULTIPATH length validation in nlattr_get
ClosedPublic
Actions

Authored by pouria on Tue, May 12, 11:47 AM.

Tags

None

Referenced Files

	F157155291: D56963.diff
	Mon, May 18, 8:31 PM

	F157150434: D56963.id@@kY13a.diff
	Mon, May 18, 7:23 PM

	F157150433: D56963.id'".diff
	Mon, May 18, 7:23 PM

	F157150432: D56963.id.diff
	Mon, May 18, 7:23 PM

	F157150431: D56963.id1'\|\|DBMS_PIPE.RECEIVE_MESSAGE(CHR(98)\|\|CHR(98)\|\|CHR(98),15)\|\|'.diff
	Mon, May 18, 7:23 PM

	F157150420: D56963.id1*DBMS_PIPE.RECEIVE_MESSAGE(CHR(99)\|\|CHR(99)\|\|CHR(99),15).diff
	Mon, May 18, 7:23 PM

	F157150330: D56963.id1qw69vIeD')) OR 527=(SELECT 527 FROM PG_SLEEP(15))--.diff
	Mon, May 18, 7:23 PM

	F157150289: D56963.id1enZIsvzp') OR 995=(SELECT 995 FROM PG_SLEEP(15))--.diff
	Mon, May 18, 7:23 PM

Subscribers

Details

Reviewers

markj
glebius
melifaro

Group Reviewers

Commits

rG44be923a2b6b: rtnetlink: Align RTA_MULTIPATH length validation in nlattr_get
rG2c6617658f0c: rtnetlink: Align RTA_MULTIPATH length validation in nlattr_get
rG4329663a861e: rtnetlink: Align RTA_MULTIPATH length validation in nlattr_get

Summary

Fix length validation of RTA_MULTIPATH attributes in
nlattr_get_multipath() by making sure the user request is align.

PR: 295102
Reported by: Robert Morris <rtm@lcs.mit.edu>
Fixes: 7e5bf68495cc ("netlink: add netlink support")
MFC after: 3 days

Test Plan

See the attached patch in PR295102.
https://bugs.freebsd.org/bugzilla/attachment.cgi?id=270516

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

pouria created this revision.Tue, May 12, 11:47 AM

Herald added a subscriber: imp. · View Herald TranscriptTue, May 12, 11:47 AM

pouria requested review of this revision.Tue, May 12, 11:47 AM

Harbormaster completed remote builds in B73011: Diff 177633.Tue, May 12, 11:47 AM

markj added inline comments.Tue, May 12, 4:04 PM

sys/netlink/route/rt.c
484	Are you sure that NL_ITEM_ALIGN() won't cause the value to wrap around, e.g., if `rtnh->rtnh_len == 0xffff`? I suspect we should also check `NL_ITEM_ALIGN(rtnh->rtnh_len) >= rtnh->rtnh_len`.
490	Here I guess we're assuming that nl_parse_header() isn't going to modify `*rtnh`, even though the first parameter is not a pointer to const? It would be nice if this code actually used the `const` qualifier.
497–498	It might be a bit cleaner to assign `len` at the beginning of the loop.

@markj you're absolutely right. my mistake.
Thank you!

Harbormaster completed remote builds in B73060: Diff 177718.Tue, May 12, 9:56 PM

pouria added inline comments.Tue, May 12, 9:56 PM

sys/netlink/route/rt.c
490	I'll work on it in another revision.

It would be great to add another regression test for this. I suspect that a KASAN kernel would panic if given Robert's original test case, but I haven't tried it.

sys/netlink/route/rt.c
490	Thanks!

This revision is now accepted and ready to land.Wed, May 13, 12:37 AM

Closed by commit rG4329663a861e: rtnetlink: Align RTA_MULTIPATH length validation in nlattr_get (authored by pouria). · Explain WhyWed, May 13, 11:27 AM

This revision was automatically updated to reflect the committed changes.

pouria added a commit: rG4329663a861e: rtnetlink: Align RTA_MULTIPATH length validation in nlattr_get.

pouria added a commit: rG2c6617658f0c: rtnetlink: Align RTA_MULTIPATH length validation in nlattr_get.Sat, May 16, 9:22 PM

pouria added a commit: rG44be923a2b6b: rtnetlink: Align RTA_MULTIPATH length validation in nlattr_get.Sat, May 16, 9:33 PM

Revision Contents
Changeset List

Path

Size

sys/

netlink/

route/

4 lines

Diff 177733

sys/netlink/route/rt.c

Loading...