tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

ipv4: validate IPV4_DEVCONF attributes properly

As the IPV4_DEVCONF netlink attributes are not being validated, it is
possible to use netlink to set read-only values like mc_forwarding. In
addition, valid ranges are not being validated neither but that is less
relevant as they aren't in sysctl.

To avoid similar situations in the future, define a NLA policy for
IPV4_DEVCONF attributes which are nested in IFLA_INET_CONF.

Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Link: https://patch.msgid.link/20260312142637.5704-1-fmancera@suse.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Fernando Fernandez Mancera and committed by
Jakub Kicinski fa8fca88 f807b5b9

+45 -10
+45 -10
net/ipv4/devinet.c
··· 2063 2063 [IFLA_INET_CONF] = { .type = NLA_NESTED }, 2064 2064 }; 2065 2065 2066 + static const struct nla_policy inet_devconf_policy[IPV4_DEVCONF_MAX + 1] = { 2067 + [IPV4_DEVCONF_FORWARDING] = NLA_POLICY_RANGE(NLA_U32, 0, 1), 2068 + [IPV4_DEVCONF_MC_FORWARDING] = { .type = NLA_REJECT }, 2069 + [IPV4_DEVCONF_PROXY_ARP] = NLA_POLICY_RANGE(NLA_U32, 0, 1), 2070 + [IPV4_DEVCONF_ACCEPT_REDIRECTS] = NLA_POLICY_RANGE(NLA_U32, 0, 1), 2071 + [IPV4_DEVCONF_SECURE_REDIRECTS] = NLA_POLICY_RANGE(NLA_U32, 0, 1), 2072 + [IPV4_DEVCONF_SEND_REDIRECTS] = NLA_POLICY_RANGE(NLA_U32, 0, 1), 2073 + [IPV4_DEVCONF_SHARED_MEDIA] = NLA_POLICY_RANGE(NLA_U32, 0, 1), 2074 + [IPV4_DEVCONF_RP_FILTER] = NLA_POLICY_RANGE(NLA_U32, 0, 2), 2075 + [IPV4_DEVCONF_ACCEPT_SOURCE_ROUTE] = NLA_POLICY_RANGE(NLA_U32, 0, 1), 2076 + [IPV4_DEVCONF_BOOTP_RELAY] = NLA_POLICY_RANGE(NLA_U32, 0, 1), 2077 + [IPV4_DEVCONF_LOG_MARTIANS] = NLA_POLICY_RANGE(NLA_U32, 0, 1), 2078 + [IPV4_DEVCONF_TAG] = { .type = NLA_U32 }, 2079 + [IPV4_DEVCONF_ARPFILTER] = NLA_POLICY_RANGE(NLA_U32, 0, 1), 2080 + [IPV4_DEVCONF_MEDIUM_ID] = NLA_POLICY_MIN(NLA_S32, -1), 2081 + [IPV4_DEVCONF_NOXFRM] = NLA_POLICY_RANGE(NLA_U32, 0, 1), 2082 + [IPV4_DEVCONF_NOPOLICY] = NLA_POLICY_RANGE(NLA_U32, 0, 1), 2083 + [IPV4_DEVCONF_FORCE_IGMP_VERSION] = NLA_POLICY_RANGE(NLA_U32, 0, 3), 2084 + [IPV4_DEVCONF_ARP_ANNOUNCE] = NLA_POLICY_RANGE(NLA_U32, 0, 2), 2085 + [IPV4_DEVCONF_ARP_IGNORE] = NLA_POLICY_RANGE(NLA_U32, 0, 8), 2086 + [IPV4_DEVCONF_PROMOTE_SECONDARIES] = NLA_POLICY_RANGE(NLA_U32, 0, 1), 2087 + [IPV4_DEVCONF_ARP_ACCEPT] = NLA_POLICY_RANGE(NLA_U32, 0, 2), 2088 + [IPV4_DEVCONF_ARP_NOTIFY] = NLA_POLICY_RANGE(NLA_U32, 0, 1), 2089 + [IPV4_DEVCONF_ACCEPT_LOCAL] = NLA_POLICY_RANGE(NLA_U32, 0, 1), 2090 + [IPV4_DEVCONF_SRC_VMARK] = NLA_POLICY_RANGE(NLA_U32, 0, 1), 2091 + [IPV4_DEVCONF_PROXY_ARP_PVLAN] = NLA_POLICY_RANGE(NLA_U32, 0, 1), 2092 + [IPV4_DEVCONF_ROUTE_LOCALNET] = NLA_POLICY_RANGE(NLA_U32, 0, 1), 2093 + [IPV4_DEVCONF_BC_FORWARDING] = NLA_POLICY_RANGE(NLA_U32, 0, 1), 2094 + [IPV4_DEVCONF_IGMPV2_UNSOLICITED_REPORT_INTERVAL] = { .type = NLA_U32 }, 2095 + [IPV4_DEVCONF_IGMPV3_UNSOLICITED_REPORT_INTERVAL] = { .type = NLA_U32 }, 2096 + [IPV4_DEVCONF_IGNORE_ROUTES_WITH_LINKDOWN] = 2097 + NLA_POLICY_RANGE(NLA_U32, 0, 1), 2098 + [IPV4_DEVCONF_DROP_UNICAST_IN_L2_MULTICAST] = 2099 + NLA_POLICY_RANGE(NLA_U32, 0, 1), 2100 + [IPV4_DEVCONF_DROP_GRATUITOUS_ARP] = NLA_POLICY_RANGE(NLA_U32, 0, 1), 2101 + [IPV4_DEVCONF_ARP_EVICT_NOCARRIER] = NLA_POLICY_RANGE(NLA_U32, 0, 1), 2102 + }; 2103 + 2066 2104 static int inet_validate_link_af(const struct net_device *dev, 2067 2105 const struct nlattr *nla, 2068 2106 struct netlink_ext_ack *extack) 2069 2107 { 2070 - struct nlattr *a, *tb[IFLA_INET_MAX+1]; 2071 - int err, rem; 2108 + struct nlattr *tb[IFLA_INET_MAX + 1], *nested_tb[IPV4_DEVCONF_MAX + 1]; 2109 + int err; 2072 2110 2073 2111 if (dev && !__in_dev_get_rtnl(dev)) 2074 2112 return -EAFNOSUPPORT; ··· 2117 2079 return err; 2118 2080 2119 2081 if (tb[IFLA_INET_CONF]) { 2120 - nla_for_each_nested(a, tb[IFLA_INET_CONF], rem) { 2121 - int cfgid = nla_type(a); 2082 + err = nla_parse_nested(nested_tb, IPV4_DEVCONF_MAX, 2083 + tb[IFLA_INET_CONF], inet_devconf_policy, 2084 + extack); 2122 2085 2123 - if (nla_len(a) < 4) 2124 - return -EINVAL; 2125 - 2126 - if (cfgid <= 0 || cfgid > IPV4_DEVCONF_MAX) 2127 - return -EINVAL; 2128 - } 2086 + if (err < 0) 2087 + return err; 2129 2088 } 2130 2089 2131 2090 return 0;