lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAMEuxRrrw8PSbpKjd6W-pvRc9fLCJUvqtqdAM1JwhLpizx7ZMw@mail.gmail.com>
Date:   Sat, 17 Sep 2022 18:54:35 -0700
From:   Li Zhong <floridsleeves@...il.com>
To:     David Ahern <dsahern@...nel.org>
Cc:     Nikolay Aleksandrov <razor@...ckwall.org>,
        linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
        pabeni@...hat.com, kuba@...nel.org, edumazet@...gle.com,
        davem@...emloft.net, yoshfuji@...ux-ipv6.org
Subject: Re: [PATCH v1] net/ipv4/nexthop: check the return value of nexthop_find_by_id()

On Sat, Sep 17, 2022 at 7:46 AM David Ahern <dsahern@...nel.org> wrote:
>
> On 9/17/22 2:29 AM, Nikolay Aleksandrov wrote:
> > On 17/09/2022 05:30, Li Zhong wrote:
> >> Check the return value of nexthop_find_by_id(), which could be NULL on
> >> when not found. So we check to avoid null pointer dereference.
> >>
> >> Signed-off-by: Li Zhong <floridsleeves@...il.com>
> >> ---
> >>  net/ipv4/nexthop.c | 4 ++++
> >>  1 file changed, 4 insertions(+)
> >>
> >> diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
> >> index 853a75a8fbaf..9f91bb78eed5 100644
> >> --- a/net/ipv4/nexthop.c
> >> +++ b/net/ipv4/nexthop.c
> >> @@ -2445,6 +2445,10 @@ static struct nexthop *nexthop_create_group(struct net *net,
> >>              struct nh_info *nhi;
> >>
> >>              nhe = nexthop_find_by_id(net, entry[i].id);
> >> +            if (!nhe) {
> >> +                    err = -EINVAL;
> >> +                    goto out_no_nh;
> >> +            }
> >>              if (!nexthop_get(nhe)) {
> >>                      err = -ENOENT;
> >>                      goto out_no_nh;
> >
> > These are validated in nh_check_attr_group() and should exist at this point.
> > Since remove_nexthop() should run under rtnl I don't see a way for a nexthop
> > to disappear after nh_check_attr_group() and before nexthop_create_group().
> >
>
> exactly. That lookup can't fail because the ids have been validated and
> all of this is under rtnl preventing nexthop removes.
>

Thanks for all your replies. That makes sense to me.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ