Commit dfdd5fd4 authored by Thomas Graf's avatar Thomas Graf Committed by David S. Miller

[IPV4]: Convert address deletion to new netlink api

Fixes various unvalidated netlink attributes causing
memory corruptions when left empty by userspace.
Signed-off-by: default avatarThomas Graf <tgraf@suug.ch>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 5c753978
...@@ -430,34 +430,48 @@ struct in_ifaddr *inet_ifa_byprefix(struct in_device *in_dev, u32 prefix, ...@@ -430,34 +430,48 @@ struct in_ifaddr *inet_ifa_byprefix(struct in_device *in_dev, u32 prefix,
static int inet_rtm_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) static int inet_rtm_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
{ {
struct rtattr **rta = arg; struct nlattr *tb[IFA_MAX+1];
struct in_device *in_dev; struct in_device *in_dev;
struct ifaddrmsg *ifm = NLMSG_DATA(nlh); struct ifaddrmsg *ifm;
struct in_ifaddr *ifa, **ifap; struct in_ifaddr *ifa, **ifap;
int err = -EINVAL;
ASSERT_RTNL(); ASSERT_RTNL();
if ((in_dev = inetdev_by_index(ifm->ifa_index)) == NULL) err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, ifa_ipv4_policy);
goto out; if (err < 0)
goto errout;
ifm = nlmsg_data(nlh);
in_dev = inetdev_by_index(ifm->ifa_index);
if (in_dev == NULL) {
err = -ENODEV;
goto errout;
}
__in_dev_put(in_dev); __in_dev_put(in_dev);
for (ifap = &in_dev->ifa_list; (ifa = *ifap) != NULL; for (ifap = &in_dev->ifa_list; (ifa = *ifap) != NULL;
ifap = &ifa->ifa_next) { ifap = &ifa->ifa_next) {
if ((rta[IFA_LOCAL - 1] && if (tb[IFA_LOCAL] &&
memcmp(RTA_DATA(rta[IFA_LOCAL - 1]), ifa->ifa_local != nla_get_u32(tb[IFA_LOCAL]))
&ifa->ifa_local, 4)) ||
(rta[IFA_LABEL - 1] &&
rtattr_strcmp(rta[IFA_LABEL - 1], ifa->ifa_label)) ||
(rta[IFA_ADDRESS - 1] &&
(ifm->ifa_prefixlen != ifa->ifa_prefixlen ||
!inet_ifa_match(*(u32*)RTA_DATA(rta[IFA_ADDRESS - 1]),
ifa))))
continue; continue;
if (tb[IFA_LABEL] && nla_strcmp(tb[IFA_LABEL], ifa->ifa_label))
continue;
if (tb[IFA_ADDRESS] &&
(ifm->ifa_prefixlen != ifa->ifa_prefixlen ||
!inet_ifa_match(nla_get_u32(tb[IFA_ADDRESS]), ifa)))
continue;
inet_del_ifa(in_dev, ifap, 1); inet_del_ifa(in_dev, ifap, 1);
return 0; return 0;
} }
out:
return -EADDRNOTAVAIL; err = -EADDRNOTAVAIL;
errout:
return err;
} }
static struct in_ifaddr *rtm_to_ifaddr(struct nlmsghdr *nlh) static struct in_ifaddr *rtm_to_ifaddr(struct nlmsghdr *nlh)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment