diff options
| author | Eric Dumazet <edumazet@google.com> | 2018-04-22 18:29:23 -0700 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-04-29 07:50:06 +0200 |
| commit | b1785e844a02e770d3cb7458a6f15d2e7c1f927b (patch) | |
| tree | 7893e3ff8931ba9979b401fb3ed3e0268a41e8f8 | |
| parent | ab3828313863194e445d439ce7eae65563b774bd (diff) | |
ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy
[ Upstream commit aa8f8778493c85fff480cdf8b349b1e1dcb5f243 ]
KMSAN reported use of uninit-value that I tracked to lack
of proper size check on RTA_TABLE attribute.
I also believe RTA_PREFSRC lacks a similar check.
Fixes: 86872cb57925 ("[IPv6] route: FIB6 configuration using struct fib6_config")
Fixes: c3968a857a6b ("ipv6: RTA_PREFSRC support for ipv6 route source address selection")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | net/ipv6/route.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/ipv6/route.c b/net/ipv6/route.c index 99920fcea97c..2f6d8f57fdd4 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -2711,6 +2711,7 @@ void rt6_mtu_change(struct net_device *dev, unsigned int mtu) static const struct nla_policy rtm_ipv6_policy[RTA_MAX+1] = { [RTA_GATEWAY] = { .len = sizeof(struct in6_addr) }, + [RTA_PREFSRC] = { .len = sizeof(struct in6_addr) }, [RTA_OIF] = { .type = NLA_U32 }, [RTA_IIF] = { .type = NLA_U32 }, [RTA_PRIORITY] = { .type = NLA_U32 }, @@ -2719,6 +2720,7 @@ static const struct nla_policy rtm_ipv6_policy[RTA_MAX+1] = { [RTA_PREF] = { .type = NLA_U8 }, [RTA_ENCAP_TYPE] = { .type = NLA_U16 }, [RTA_ENCAP] = { .type = NLA_NESTED }, + [RTA_TABLE] = { .type = NLA_U32 }, }; static int rtm_to_fib6_config(struct sk_buff *skb, struct nlmsghdr *nlh, |