fib, fib6: reject invalid feature bits
authorDaniel Borkmann <daniel@iogearbox.net>
Mon, 31 Aug 2015 13:58:46 +0000 (15:58 +0200)
committerDavid S. Miller <davem@davemloft.net>
Mon, 31 Aug 2015 19:34:00 +0000 (12:34 -0700)
Feature bits that are invalid should not be accepted by the kernel,
only the lower 4 bits may be configured, but not the remaining ones.
Even from these 4, 2 of them are unused.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
include/uapi/linux/rtnetlink.h
net/ipv4/fib_semantics.c
net/ipv6/route.c

index 0d3d3cc43356e128bc618acbde912fe6b5524ff0..702024769c74bc39f1e9f8400b23ec5bbd7a8ffb 100644 (file)
@@ -418,10 +418,13 @@ enum {
 
 #define RTAX_MAX (__RTAX_MAX - 1)
 
-#define RTAX_FEATURE_ECN       0x00000001
-#define RTAX_FEATURE_SACK      0x00000002
-#define RTAX_FEATURE_TIMESTAMP 0x00000004
-#define RTAX_FEATURE_ALLFRAG   0x00000008
+#define RTAX_FEATURE_ECN       (1 << 0)
+#define RTAX_FEATURE_SACK      (1 << 1)
+#define RTAX_FEATURE_TIMESTAMP (1 << 2)
+#define RTAX_FEATURE_ALLFRAG   (1 << 3)
+
+#define RTAX_FEATURE_MASK      (RTAX_FEATURE_ECN | RTAX_FEATURE_SACK | \
+                                RTAX_FEATURE_TIMESTAMP | RTAX_FEATURE_ALLFRAG)
 
 struct rta_session {
        __u8    proto;
index 88afbae893f0d40a4295dc8d14d026c918b4930e..115a08e70d43243215feb8a8f7759493cfa969dd 100644 (file)
@@ -908,6 +908,8 @@ fib_convert_metrics(struct fib_info *fi, const struct fib_config *cfg)
                        val = 65535 - 40;
                if (type == RTAX_MTU && val > 65535 - 15)
                        val = 65535 - 15;
+               if (type == RTAX_FEATURES && (val & ~RTAX_FEATURE_MASK))
+                       return -EINVAL;
                fi->fib_metrics[type - 1] = val;
        }
 
index 0261b721b34bbd91e4bea31a34c284aa478fc5e7..8771530df45ea0041d5d7a6402dc6de2ee5d0d92 100644 (file)
@@ -1728,6 +1728,8 @@ static int ip6_convert_metrics(struct mx6_config *mxc,
                } else {
                        val = nla_get_u32(nla);
                }
+               if (type == RTAX_FEATURES && (val & ~RTAX_FEATURE_MASK))
+                       goto err;
 
                mp[type - 1] = val;
                __set_bit(type - 1, mxc->mx_valid);