From patchwork Fri Mar  6 10:47:00 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Robert Shearman <rshearma@brocade.com>
X-Patchwork-Id: 447276
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id D8B08140082
	for <patchwork-incoming@ozlabs.org>;
	Fri,  6 Mar 2015 21:48:23 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933357AbbCFKsQ (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Fri, 6 Mar 2015 05:48:16 -0500
Received: from mx0a-000f0801.pphosted.com ([67.231.144.122]:46546 "EHLO
	mx0a-000f0801.pphosted.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S932195AbbCFKsM (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 6 Mar 2015 05:48:12 -0500
Received: from pps.filterd (m0048193.ppops.net [127.0.0.1])
	by mx0a-000f0801.pphosted.com (8.14.7/8.14.7) with SMTP id
	t269xhJJ010535; Fri, 6 Mar 2015 02:48:11 -0800
Received: from hq1wp-exchub02.corp.brocade.com ([144.49.131.13])
	by mx0a-000f0801.pphosted.com with ESMTP id 1sy01m1vh0-1
	(version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT);
	Fri, 06 Mar 2015 02:48:11 -0800
Received: from BRMWP-EXCHUB02.corp.brocade.com (172.16.187.99) by
	HQ1WP-EXCHUB02.corp.brocade.com (10.70.38.101) with Microsoft SMTP
	Server (TLS) id 14.3.123.3; Fri, 6 Mar 2015 02:48:10 -0800
Received: from EMEAWP-CASH01.corp.brocade.com (172.29.18.10) by
	BRMWP-EXCHUB02.corp.brocade.com (172.16.187.99) with Microsoft SMTP
	Server (TLS) id 14.3.123.3; Fri, 6 Mar 2015 03:48:09 -0700
Received: from BRA-2XN4P12.brocade.com (172.29.21.130) by imapeu.brocade.com
	(172.29.18.15) with Microsoft SMTP Server (TLS) id 8.3.298.1;
	Fri, 6 Mar 2015 11:48:07 +0100
From: Robert Shearman <rshearma@brocade.com>
To: David Miller <davem@davemloft.net>
CC: <netdev@vger.kernel.org>, Robert Shearman <rshearma@brocade.com>,
	"Eric W. Biederman" <ebiederm@xmission.com>
Subject: [PATCH net-next] mpls: Properly validate RTA_VIA payload length
Date: Fri, 6 Mar 2015 10:47:00 +0000
Message-ID: <1425638820-19990-1-git-send-email-rshearma@brocade.com>
X-Mailer: git-send-email 2.1.4
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.13.68, 1.0.33,
	0.0.0000
	definitions=2015-03-06_03:2015-03-06, 2015-03-06,
	1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
	suspectscore=0 phishscore=0
	adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx
	scancount=1
	engine=7.0.1-1402240000 definitions=main-1503060113
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

If the nla length is less than 2 then the nla data could be accessed
beyond the accessible bounds. So ensure that the nla is big enough to
at least read the via_family before doing so. Replace magic value of
2.

Fixes: 03c0566542f4 ("mpls: Basic support for adding and removing routes")
Cc: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Robert Shearman <rshearma@brocade.com>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
---
 net/mpls/af_mpls.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
index 23e51d1..4ce39f6 100644
--- a/net/mpls/af_mpls.c
+++ b/net/mpls/af_mpls.c
@@ -585,8 +585,11 @@ static int rtm_to_route_config(struct sk_buff *skb,  struct nlmsghdr *nlh,
 		case RTA_VIA:
 		{
 			struct rtvia *via = nla_data(nla);
+			if (nla_len(nla) < offsetof(struct rtvia, rtvia_addr))
+				goto errout;
 			cfg->rc_via_family = via->rtvia_family;
-			cfg->rc_via_alen   = nla_len(nla) - 2;
+			cfg->rc_via_alen   = nla_len(nla) -
+				offsetof(struct rtvia, rtvia_addr);
 			if (cfg->rc_via_alen > MAX_VIA_ALEN)
 				goto errout;