From d80837df37cb8897769f87f7a2034a9653168221 Mon Sep 17 00:00:00 2001

From: Phil Sutter <psutter@redhat.com>

Date: Thu, 21 Feb 2019 14:38:57 +0100

Subject: [PATCH] iproute: Abort if nexthop cannot be parsed

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1624656

Upstream Status: iproute2.git commit ee53b42fd8b0b

commit ee53b42fd8b0b0cdb857d0f5bf7467e22a3457d9

Author: Jakub Sitnicki <jkbs@redhat.com>

Date:   Wed Apr 11 11:43:11 2018 +0200

    iproute: Abort if nexthop cannot be parsed

    Attempt to add a multipath route where a nexthop definition refers to a

    non-existent device causes 'ip' to crash and burn due to stack buffer

    overflow:

      # ip -6 route add fd00::1/64 nexthop dev fake1

      Cannot find device "fake1"

      Cannot find device "fake1"

      Cannot find device "fake1"

      ...

      Segmentation fault (core dumped)

    Don't ignore errors from the helper routine that parses the nexthop

    definition, and abort immediately if parsing fails.

    Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>

---

 ip/iproute.c | 5 ++++-

 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ip/iproute.c b/ip/iproute.c

index 35fdce8..759032d 100644

--- a/ip/iproute.c

+++ b/ip/iproute.c

@@ -817,7 +817,10 @@ static int parse_nexthops(struct nlmsghdr *n, struct rtmsg *r,

 		memset(rtnh, 0, sizeof(*rtnh));

 		rtnh->rtnh_len = sizeof(*rtnh);

 		rta->rta_len += rtnh->rtnh_len;

-		parse_one_nh(n, r, rta, rtnh, &argc, &argv);

+		if (parse_one_nh(n, r, rta, rtnh, &argc, &argv)) {

+			fprintf(stderr, "Error: cannot parse nexthop\n");

+			exit(-1);

+		}

 		rtnh = RTNH_NEXT(rtnh);

 	}

-- 

1.8.3.1