From 4bfbd25a7035e23beef97c64870083c9667c524e Mon Sep 17 00:00:00 2001 From: Luca Weiss Date: Sun, 24 Mar 2019 21:31:24 +0100 Subject: [PATCH] ipv4: Pass struct flowi4 directly to rt_fill_info This is partly a backport of d6c0a4f60984 (ipv4: Kill 'rt_src' from 'struct rtable'). skb->sk can be null, and in fact it is when creating the buffer in inet_rtm_getroute. There is no other way of accessing the flow, so pass it directly. Fixes invalid memory address when running 'ip route get $IPADDR' Change-Id: I7b9e5499614b96360c9c8420907e82e145bb97f3 --- net/ipv4/route.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/net/ipv4/route.c b/net/ipv4/route.c index fc94a023a803..a9dc8ff631a1 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -2985,14 +2985,13 @@ struct rtable *ip_route_output_flow(struct net *net, struct flowi4 *flp4, } EXPORT_SYMBOL_GPL(ip_route_output_flow); -static int rt_fill_info(struct net *net, +static int rt_fill_info(struct net *net, struct flowi4 *fl4, struct sk_buff *skb, u32 pid, u32 seq, int event, int nowait, unsigned int flags) { struct rtable *rt = skb_rtable(skb); struct rtmsg *r; struct nlmsghdr *nlh; - struct flowi4 *fl4 = &(inet_sk(skb->sk))->cork.fl.u.ip4; unsigned long expires = 0; const struct inet_peer *peer = rt->peer; u32 id = 0, ts = 0, tsage = 0, error; @@ -3106,6 +3105,7 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr* nlh, void struct rtmsg *rtm; struct nlattr *tb[RTA_MAX+1]; struct rtable *rt = NULL; + struct flowi4 fl4; __be32 dst = 0; __be32 src = 0; u32 iif; @@ -3145,6 +3145,14 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr* nlh, void else uid = (iif ? INVALID_UID : current_uid()); + memset(&fl4, 0, sizeof(fl4)); + fl4.daddr = dst; + fl4.saddr = src; + fl4.flowi4_tos = rtm->rtm_tos; + fl4.flowi4_oif = tb[RTA_OIF] ? nla_get_u32(tb[RTA_OIF]) : 0; + fl4.flowi4_mark = mark; + fl4.flowi4_uid = uid; + if (iif) { struct net_device *dev; @@ -3165,14 +3173,6 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr* nlh, void if (err == 0 && rt->dst.error) err = -rt->dst.error; } else { - struct flowi4 fl4 = { - .daddr = dst, - .saddr = src, - .flowi4_tos = rtm->rtm_tos, - .flowi4_oif = tb[RTA_OIF] ? nla_get_u32(tb[RTA_OIF]) : 0, - .flowi4_mark = mark, - .flowi4_uid = uid, - }; rt = ip_route_output_key(net, &fl4); err = 0; @@ -3187,7 +3187,7 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr* nlh, void if (rtm->rtm_flags & RTM_F_NOTIFY) rt->rt_flags |= RTCF_NOTIFY; - err = rt_fill_info(net, skb, NETLINK_CB(in_skb).pid, nlh->nlmsg_seq, + err = rt_fill_info(net, &fl4, skb, NETLINK_CB(in_skb).pid, nlh->nlmsg_seq, RTM_NEWROUTE, 0, 0); if (err <= 0) goto errout_free; @@ -3225,8 +3225,8 @@ int ip_rt_dump(struct sk_buff *skb, struct netlink_callback *cb) if (rt_is_expired(rt)) continue; skb_dst_set_noref(skb, &rt->dst); - if (rt_fill_info(net, skb, NETLINK_CB(cb->skb).pid, - cb->nlh->nlmsg_seq, RTM_NEWROUTE, + if (rt_fill_info(net, &(inet_sk(skb->sk))->cork.fl.u.ip4, skb, + NETLINK_CB(cb->skb).pid, cb->nlh->nlmsg_seq, RTM_NEWROUTE, 1, NLM_F_MULTI) <= 0) { skb_dst_drop(skb); rcu_read_unlock_bh();