Merge branch 'add-checks-for-incoming-packet-addresses'

Jeremy Kerr says: ==================== Add checks for incoming packet addresses This series adds a couple of checks for valid addresses on incoming MCTP packets. We introduce a couple of helpers in 1/2, and use them in the ingress path in 2/2. ==================== Link: https://lore.kernel.org/r/20220218042554.564787-1-jk@codeconstruct.com.auSigned-off-by: Jakub Kicinski <kuba@kernel.org>

Merge branch 'add-checks-for-incoming-packet-addresses'
Jeremy Kerr says: ==================== Add checks for incoming packet addresses This series adds a couple of checks for valid addresses on incoming MCTP packets. We introduce a couple of helpers in 1/2, and use them in the ingress path in 2/2. ==================== Link: https://lore.kernel.org/r/20220218042554.564787-1-jk@codeconstruct.com.auSigned-off-by: Jakub Kicinski <kuba@kernel.org>
bbcf340d · Jakub Kicinski · 47f0bd50 · 86cdfd63 · bbcf340d · bbcf340d
Commit bbcf340d authored Feb 18, 2022 by Jakub Kicinski
Hide whitespace changes
Inline Side-by-side

Showing with 25 additions and 4 deletions

include/net/mctp.h include/net/mctp.h +11 -1

net/mctp/device.c net/mctp/device.c +1 -1

net/mctp/neigh.c net/mctp/neigh.c +1 -1

net/mctp/route.c net/mctp/route.c +12 -1

No files found.
--- a/include/net/mctp.h
+++ b/include/net/mctp.h
@@ -40,11 +40,21 @@ struct mctp_hdr {

 #define MCTP_INITIAL_DEFAULT_NET	1

-static inline bool mctp_address_ok(mctp_eid_t eid)
+static inline bool mctp_address_unicast(mctp_eid_t eid)
 {
 	return eid >= 8 && eid < 255;
 }

+static inline bool mctp_address_broadcast(mctp_eid_t eid)
+{
+	return eid == 255;
+}
+
+static inline bool mctp_address_null(mctp_eid_t eid)
+{
+	return eid == 0;
+}
+
 static inline bool mctp_address_matches(mctp_eid_t match, mctp_eid_t eid)
 {
 	return match == eid || match == MCTP_ADDR_ANY;

--- a/net/mctp/device.c
+++ b/net/mctp/device.c
@@ -209,7 +209,7 @@ static int mctp_rtm_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh,
 	if (!mdev)
 		return -ENODEV;

-	if (!mctp_address_ok(addr->s_addr))
+	if (!mctp_address_unicast(addr->s_addr))
 		return -EINVAL;

 	/* Prevent duplicates. Under RTNL so don't need to lock for reading */

--- a/net/mctp/neigh.c
+++ b/net/mctp/neigh.c
@@ -143,7 +143,7 @@ static int mctp_rtm_newneigh(struct sk_buff *skb, struct nlmsghdr *nlh,
 	}

 	eid = nla_get_u8(tb[NDA_DST]);
-	if (!mctp_address_ok(eid)) {
+	if (!mctp_address_unicast(eid)) {
 		NL_SET_ERR_MSG(extack, "Invalid neighbour EID");
 		return -EINVAL;
 	}

--- a/net/mctp/route.c
+++ b/net/mctp/route.c
@@ -962,7 +962,7 @@ static int mctp_route_add(struct mctp_dev *mdev, mctp_eid_t daddr_start,
 	struct net *net = dev_net(mdev->dev);
 	struct mctp_route *rt, *ert;

-	if (!mctp_address_ok(daddr_start))
+	if (!mctp_address_unicast(daddr_start))
 		return -EINVAL;

 	if (daddr_extent > 0xff || daddr_start + daddr_extent >= 255)
@@ -1092,6 +1092,17 @@ static int mctp_pkttype_receive(struct sk_buff *skb, struct net_device *dev,
 	if (mh->ver < MCTP_VER_MIN || mh->ver > MCTP_VER_MAX)
 		goto err_drop;

+	/* source must be valid unicast or null; drop reserved ranges and
+	 * broadcast
+	 */
+	if (!(mctp_address_unicast(mh->src) || mctp_address_null(mh->src)))
+		goto err_drop;
+
+	/* dest address: as above, but allow broadcast */
+	if (!(mctp_address_unicast(mh->dest) || mctp_address_null(mh->dest) ||
+	      mctp_address_broadcast(mh->dest)))
+		goto err_drop;
+
 	/* MCTP drivers must populate halen/haddr */
 	if (dev->type == ARPHRD_MCTP) {
 		cb = mctp_cb(skb);