lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sat, 22 Aug 2020 13:33:40 +0300
From:   Nikolay Aleksandrov <>
        Nikolay Aleksandrov <>,
        David Ahern <>,
Subject: [PATCH net] net: nexthop: don't allow empty NHA_GROUP

Currently the nexthop code will use an empty NHA_GROUP attribute, but it
requires at least 1 entry in order to function properly. Otherwise we
end up derefencing NULL pointers all over the place due to not having
any nh_grp_entry members allocated, nexthop code relies on having at least
the first member present. Empty NHA_GROUP doesn't make any sense so just
disallow it.
Also add a WARN_ON for any future users of nexthop_create_group().

CC: David Ahern <>
Fixes: 430a049190de ("nexthop: Add support for nexthop groups")
Signed-off-by: Nikolay Aleksandrov <>
Tested on 5.3 and latest -net by adding a nexthop with an empty NHA_GROUP
(purposefully broken iproute2) and then adding a route which uses it.

 net/ipv4/nexthop.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
index cc8049b100b2..134e92382275 100644
--- a/net/ipv4/nexthop.c
+++ b/net/ipv4/nexthop.c
@@ -446,7 +446,7 @@ static int nh_check_attr_group(struct net *net, struct nlattr *tb[],
 	unsigned int i, j;
 	u8 nhg_fdb = 0;
-	if (len & (sizeof(struct nexthop_grp) - 1)) {
+	if (!len || len & (sizeof(struct nexthop_grp) - 1)) {
 			       "Invalid length for nexthop group attribute");
 		return -EINVAL;
@@ -1187,6 +1187,9 @@ static struct nexthop *nexthop_create_group(struct net *net,
 	struct nexthop *nh;
 	int i;
+	if (WARN_ON(!num_nh))
+		return ERR_PTR(-EINVAL);
 	nh = nexthop_alloc();
 	if (!nh)
 		return ERR_PTR(-ENOMEM);

Powered by blists - more mailing lists