From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
To: netdev@vger.kernel.org
Cc: roopa@cumulusnetworks.com, dsahern@gmail.com,
Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Subject: [PATCH net 2/2] net: nexthop: check for null return by nexthop_select_path()
Date: Tue, 19 May 2020 14:04:24 +0300 [thread overview]
Message-ID: <20200519110424.2397623-3-nikolay@cumulusnetworks.com> (raw)
In-Reply-To: <20200519110424.2397623-1-nikolay@cumulusnetworks.com>
nexthop_select_path() may return null if either .nh is null or the
number of nexthops is 0 (rc == NULL). We need to check its return value
before use to avoid deferencing a null ptr.
Fixes: 4c7e8084fd46 ("ipv4: Plumb support for nexthop object in a fib_info")
Fixes: f88d8ea67fbd ("ipv6: Plumb support for nexthop object in a fib6_info")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
---
Could you please confirm that simply returning in the IPv6 case is ok?
AFAICT it's fine, I've also tested it, but I'm a bit worried about
ip6_pol_route_lookup -> ip6_create_rt_rcu and the second directly
deferencing res->nh. I think rt6_device_match() should take care of
that case, but I'd appreciate more eyes on that. :)
include/net/nexthop.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/include/net/nexthop.h b/include/net/nexthop.h
index c440ccc861fc..7cc4343cdbfc 100644
--- a/include/net/nexthop.h
+++ b/include/net/nexthop.h
@@ -203,6 +203,8 @@ static inline void nexthop_path_fib_result(struct fib_result *res, int hash)
struct nexthop *nh;
nh = nexthop_select_path(res->fi->nh, hash);
+ if (unlikely(!nh))
+ return;
nhi = rcu_dereference(nh->nh_info);
res->nhc = &nhi->fib_nhc;
}
@@ -290,7 +292,8 @@ static inline void nexthop_path_fib6_result(struct fib6_result *res, int hash)
struct nh_info *nhi;
nh = nexthop_select_path(nh, hash);
-
+ if (unlikely(!nh))
+ return;
nhi = rcu_dereference_rtnl(nh->nh_info);
if (nhi->reject_nh) {
res->fib6_type = RTN_BLACKHOLE;
--
2.25.2
next prev parent reply other threads:[~2020-05-19 11:05 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-19 11:04 [PATCH net 0/2] net: nexthop: multipath null ptr deref fixes Nikolay Aleksandrov
2020-05-19 11:04 ` [PATCH net 1/2] net: nexthop: dereference nh only once in nexthop_select_path Nikolay Aleksandrov
2020-05-19 15:51 ` David Ahern
2020-05-19 11:04 ` Nikolay Aleksandrov [this message]
2020-05-19 16:11 ` [PATCH net 0/2] net: nexthop: multipath null ptr deref fixes David Ahern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200519110424.2397623-3-nikolay@cumulusnetworks.com \
--to=nikolay@cumulusnetworks.com \
--cc=dsahern@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=roopa@cumulusnetworks.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.