matthias
/
iproute2
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

ip-route: Fix nexthop encap parsing 

When parsing nexthop parameters, a buffer of 4k bytes is provided. Yet,
in lwt_parse_encap() and some functions called by it, buffer size was
assumed to be 1k despite the actual size was provided. This led to
spurious buffer size errors if the buffer was filled by previous nexthop
parameters to exceed that 1k boundary.

Fixes: 1e5293056a ("lwtunnel: Add encapsulation support to ip route")
Fixes: 5866bddd9a ("ila: Add support for ILA lwtunnels")
Fixes: ed67f83806 ("ila: Support for checksum neutral translation")
Fixes: 86905c8f05 ("ila: support for configuring identifier and hook types")
Fixes: b15f440e78 ("lwt: BPF support for LWT")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
This commit is contained in:
Phil Sutter 2018-11-13 13:39:04 +01:00 committed by Stephen Hemminger
parent 7e2f71b431
commit 05d978e085
1 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
ip/iproute_lwtunnel.c
View File

@ -860,7 +860,7 @@ static int parse_encap_ila(struct rtattr *rta, size_t len,
argc--; argv++;
if (rta_addattr64(rta, 1024, ILA_ATTR_LOCATOR, locator))
if (rta_addattr64(rta, len, ILA_ATTR_LOCATOR, locator))
return -1;
while (argc > 0) {
@ -874,7 +874,7 @@ static int parse_encap_ila(struct rtattr *rta, size_t len,
invarg("\"csum-mode\" value is invalid\n",
*argv);
ret = rta_addattr8(rta, 1024, ILA_ATTR_CSUM_MODE,
ret = rta_addattr8(rta, len, ILA_ATTR_CSUM_MODE,
(__u8)csum_mode);
argc--; argv++;
@ -888,7 +888,7 @@ static int parse_encap_ila(struct rtattr *rta, size_t len,
invarg("\"ident-type\" value is invalid\n",
*argv);
ret = rta_addattr8(rta, 1024, ILA_ATTR_IDENT_TYPE,
ret = rta_addattr8(rta, len, ILA_ATTR_IDENT_TYPE,
(__u8)ident_type);
argc--; argv++;
@ -902,7 +902,7 @@ static int parse_encap_ila(struct rtattr *rta, size_t len,
invarg("\"hook-type\" value is invalid\n",
*argv);
ret = rta_addattr8(rta, 1024, ILA_ATTR_HOOK_TYPE,
ret = rta_addattr8(rta, len, ILA_ATTR_HOOK_TYPE,
(__u8)hook_type);
argc--; argv++;
@ -1034,7 +1034,7 @@ static int parse_encap_bpf(struct rtattr *rta, size_t len, int *argcp,
if (get_unsigned(&headroom, *argv, 0) || headroom == 0)
invarg("headroom is invalid\n", *argv);
if (!headroom_set)
rta_addattr32(rta, 1024, LWT_BPF_XMIT_HEADROOM,
rta_addattr32(rta, len, LWT_BPF_XMIT_HEADROOM,
headroom);
headroom_set = 1;
} else if (strcmp(*argv, "help") == 0) {
@ -1075,7 +1075,7 @@ int lwt_parse_encap(struct rtattr *rta, size_t len, int *argcp, char ***argvp)
exit(-1);
}
nest = rta_nest(rta, 1024, RTA_ENCAP);
nest = rta_nest(rta, len, RTA_ENCAP);
switch (type) {
case LWTUNNEL_ENCAP_MPLS:
ret = parse_encap_mpls(rta, len, &argc, &argv);
@ -1108,7 +1108,7 @@ int lwt_parse_encap(struct rtattr *rta, size_t len, int *argcp, char ***argvp)
rta_nest_end(rta, nest);
ret = rta_addattr16(rta, 1024, RTA_ENCAP_TYPE, type);
ret = rta_addattr16(rta, len, RTA_ENCAP_TYPE, type);
*argcp = argc;
*argvp = argv;