lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 19 May 2020 14:04:24 +0300
From:   Nikolay Aleksandrov <nikolay@...ulusnetworks.com>
To:     netdev@...r.kernel.org
Cc:     roopa@...ulusnetworks.com, dsahern@...il.com,
        Nikolay Aleksandrov <nikolay@...ulusnetworks.com>
Subject: [PATCH net 2/2] net: nexthop: check for null return by nexthop_select_path()

nexthop_select_path() may return null if either .nh is null or the
number of nexthops is 0 (rc == NULL). We need to check its return value
before use to avoid deferencing a null ptr.

Fixes: 4c7e8084fd46 ("ipv4: Plumb support for nexthop object in a fib_info")
Fixes: f88d8ea67fbd ("ipv6: Plumb support for nexthop object in a fib6_info")
Signed-off-by: Nikolay Aleksandrov <nikolay@...ulusnetworks.com>
---
Could you please confirm that simply returning in the IPv6 case is ok?
AFAICT it's fine, I've also tested it, but I'm a bit worried about
ip6_pol_route_lookup -> ip6_create_rt_rcu and the second directly
deferencing res->nh. I think rt6_device_match() should take care of
that case, but I'd appreciate more eyes on that. :)

 include/net/nexthop.h | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/include/net/nexthop.h b/include/net/nexthop.h
index c440ccc861fc..7cc4343cdbfc 100644
--- a/include/net/nexthop.h
+++ b/include/net/nexthop.h
@@ -203,6 +203,8 @@ static inline void nexthop_path_fib_result(struct fib_result *res, int hash)
 	struct nexthop *nh;
 
 	nh = nexthop_select_path(res->fi->nh, hash);
+	if (unlikely(!nh))
+		return;
 	nhi = rcu_dereference(nh->nh_info);
 	res->nhc = &nhi->fib_nhc;
 }
@@ -290,7 +292,8 @@ static inline void nexthop_path_fib6_result(struct fib6_result *res, int hash)
 	struct nh_info *nhi;
 
 	nh = nexthop_select_path(nh, hash);
-
+	if (unlikely(!nh))
+		return;
 	nhi = rcu_dereference_rtnl(nh->nh_info);
 	if (nhi->reject_nh) {
 		res->fib6_type = RTN_BLACKHOLE;
-- 
2.25.2

Powered by blists - more mailing lists