mpls: Properly validate RTA_VIA payload length

If the nla length is less than 2 then the nla data could be accessed beyond the accessible bounds. So ensure that the nla is big enough to at least read the via_family before doing so. Replace magic value of 2. Fixes: 03c0566 ("mpls: Basic support for adding and removing routes") Cc: Eric W. Biederman <[email protected]> Signed-off-by: Robert Shearman <[email protected]> Acked-by: "Eric W. Biederman" <[email protected]> Signed-off-by: David S. Miller <[email protected]>
mrcsosa · Mar 6, 2015 · f8d54af · f8d54af
1 parent 5c4b934
commit f8d54af
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
@@ -586,8 +586,11 @@ static int rtm_to_route_config(struct sk_buff *skb,  struct nlmsghdr *nlh,
 		case RTA_VIA:
 		{
 			struct rtvia *via = nla_data(nla);
+			if (nla_len(nla) < offsetof(struct rtvia, rtvia_addr))
+				goto errout;
 			cfg->rc_via_family = via->rtvia_family;
-			cfg->rc_via_alen   = nla_len(nla) - 2;
+			cfg->rc_via_alen   = nla_len(nla) -
+				offsetof(struct rtvia, rtvia_addr);
 			if (cfg->rc_via_alen > MAX_VIA_ALEN)
 				goto errout;