Page MenuHomeFreeBSD
Differential D56963

rtnetlink: Align RTA_MULTIPATH length validation in nlattr_get
ClosedPublic
Actions

Authored by pouria on Tue, May 12, 11:47 AM.
Tags
None
Referenced Files
F157485602: D56963.id.diff
Thu, May 21, 11:31 PM
F157465528: D56963.diff
Thu, May 21, 6:38 PM
Unknown Object (File)
Tue, May 19, 12:59 PM
Unknown Object (File)
Tue, May 19, 3:16 AM
Unknown Object (File)
Mon, May 18, 8:31 PM
Unknown Object (File)
Mon, May 18, 7:23 PM
Unknown Object (File)
Mon, May 18, 7:23 PM
Unknown Object (File)
Mon, May 18, 7:23 PM
View All Files
Subscribers
imp

Details

Reviewers
markj
glebius
melifaro
Group Reviewers
network
Commits
rG44be923a2b6b: rtnetlink: Align RTA_MULTIPATH length validation in nlattr_get
rG2c6617658f0c: rtnetlink: Align RTA_MULTIPATH length validation in nlattr_get
rG4329663a861e: rtnetlink: Align RTA_MULTIPATH length validation in nlattr_get
Summary

Fix length validation of RTA_MULTIPATH attributes in
nlattr_get_multipath() by making sure the user request is align.

PR: 295102
Reported by: Robert Morris <rtm@lcs.mit.edu>
Fixes: 7e5bf68495cc ("netlink: add netlink support")
MFC after: 3 days

Test Plan

See the attached patch in PR295102.
https://bugs.freebsd.org/bugzilla/attachment.cgi?id=270516

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 73060
Build 69943: arc lint + arc unit

Event Timeline

pouria created this revision.Tue, May 12, 11:47 AM
Herald added a subscriber: imp. · View Herald TranscriptTue, May 12, 11:47 AM
pouria requested review of this revision.Tue, May 12, 11:47 AM
Harbormaster completed remote builds in B73011: Diff 177633.Tue, May 12, 11:47 AM
markj added inline comments.Tue, May 12, 4:04 PM
sys/netlink/route/rt.c
484

Are you sure that NL_ITEM_ALIGN() won't cause the value to wrap around, e.g., if rtnh->rtnh_len == 0xffff? I suspect we should also check NL_ITEM_ALIGN(rtnh->rtnh_len) >= rtnh->rtnh_len.

490

Here I guess we're assuming that nl_parse_header() isn't going to modify *rtnh, even though the first parameter is not a pointer to const? It would be nice if this code actually used the const qualifier.

497–498

It might be a bit cleaner to assign len at the beginning of the loop.

pouria updated this revision to Diff 177718.Tue, May 12, 9:56 PM
pouria marked 2 inline comments as done.

@markj you're absolutely right. my mistake.
Thank you!

Harbormaster completed remote builds in B73060: Diff 177718.Tue, May 12, 9:56 PM
pouria added inline comments.Tue, May 12, 9:56 PM
sys/netlink/route/rt.c
490

I'll work on it in another revision.

markj accepted this revision.Wed, May 13, 12:37 AM

It would be great to add another regression test for this. I suspect that a KASAN kernel would panic if given Robert's original test case, but I haven't tried it.

sys/netlink/route/rt.c
490

Thanks!

This revision is now accepted and ready to land.Wed, May 13, 12:37 AM
Closed by commit rG4329663a861e: rtnetlink: Align RTA_MULTIPATH length validation in nlattr_get (authored by pouria). · Explain WhyWed, May 13, 11:27 AM
This revision was automatically updated to reflect the committed changes.
pouria added a commit: rG4329663a861e: rtnetlink: Align RTA_MULTIPATH length validation in nlattr_get.
pouria added a commit: rG2c6617658f0c: rtnetlink: Align RTA_MULTIPATH length validation in nlattr_get.Sat, May 16, 9:22 PM
pouria added a commit: rG44be923a2b6b: rtnetlink: Align RTA_MULTIPATH length validation in nlattr_get.Sat, May 16, 9:33 PM

Revision Contents
Changeset List

PathSize
sys/
netlink/
route/
4 lines

Diff 177718

View Options

sys/netlink/route/rt.c

Loading...