mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-04 04:04:19 +00:00
ipv6: fib6_rules should return exact return value
With the addition of the suppress operation
(7764a45a8f
("fib_rules: add .suppress
operation") we rely on accurate error reporting of the fib_rules.actions.
fib6_rule_action always returned -EAGAIN in case we could not find a
matching route and 0 if a rule was matched. This also included a match
for blackhole or prohibited rule actions which could get suppressed by
the new logic.
So adapt fib6_rule_action to always return the correct error code as
its counterpart fib4_rule_action does. This also fixes a possiblity of
nullptr-deref where we don't find a table, thus rt == NULL. Because
the condition rt != ip6_null_entry still holdes it seems we could later
get a nullptr bug on dereference rt->dst.
v2:
a) Fixed a brain fart in the commit msg (the rule => a table, etc). No
changes to the patch.
Cc: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
378307217e
commit
46b3a42190
@ -55,26 +55,33 @@ static int fib6_rule_action(struct fib_rule *rule, struct flowi *flp,
|
|||||||
struct fib6_table *table;
|
struct fib6_table *table;
|
||||||
struct net *net = rule->fr_net;
|
struct net *net = rule->fr_net;
|
||||||
pol_lookup_t lookup = arg->lookup_ptr;
|
pol_lookup_t lookup = arg->lookup_ptr;
|
||||||
|
int err = 0;
|
||||||
|
|
||||||
switch (rule->action) {
|
switch (rule->action) {
|
||||||
case FR_ACT_TO_TBL:
|
case FR_ACT_TO_TBL:
|
||||||
break;
|
break;
|
||||||
case FR_ACT_UNREACHABLE:
|
case FR_ACT_UNREACHABLE:
|
||||||
|
err = -ENETUNREACH;
|
||||||
rt = net->ipv6.ip6_null_entry;
|
rt = net->ipv6.ip6_null_entry;
|
||||||
goto discard_pkt;
|
goto discard_pkt;
|
||||||
default:
|
default:
|
||||||
case FR_ACT_BLACKHOLE:
|
case FR_ACT_BLACKHOLE:
|
||||||
|
err = -EINVAL;
|
||||||
rt = net->ipv6.ip6_blk_hole_entry;
|
rt = net->ipv6.ip6_blk_hole_entry;
|
||||||
goto discard_pkt;
|
goto discard_pkt;
|
||||||
case FR_ACT_PROHIBIT:
|
case FR_ACT_PROHIBIT:
|
||||||
|
err = -EACCES;
|
||||||
rt = net->ipv6.ip6_prohibit_entry;
|
rt = net->ipv6.ip6_prohibit_entry;
|
||||||
goto discard_pkt;
|
goto discard_pkt;
|
||||||
}
|
}
|
||||||
|
|
||||||
table = fib6_get_table(net, rule->table);
|
table = fib6_get_table(net, rule->table);
|
||||||
if (table)
|
if (!table) {
|
||||||
rt = lookup(net, table, flp6, flags);
|
err = -EAGAIN;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
rt = lookup(net, table, flp6, flags);
|
||||||
if (rt != net->ipv6.ip6_null_entry) {
|
if (rt != net->ipv6.ip6_null_entry) {
|
||||||
struct fib6_rule *r = (struct fib6_rule *)rule;
|
struct fib6_rule *r = (struct fib6_rule *)rule;
|
||||||
|
|
||||||
@ -101,6 +108,7 @@ static int fib6_rule_action(struct fib_rule *rule, struct flowi *flp,
|
|||||||
}
|
}
|
||||||
again:
|
again:
|
||||||
ip6_rt_put(rt);
|
ip6_rt_put(rt);
|
||||||
|
err = -EAGAIN;
|
||||||
rt = NULL;
|
rt = NULL;
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
@ -108,7 +116,7 @@ static int fib6_rule_action(struct fib_rule *rule, struct flowi *flp,
|
|||||||
dst_hold(&rt->dst);
|
dst_hold(&rt->dst);
|
||||||
out:
|
out:
|
||||||
arg->result = rt;
|
arg->result = rt;
|
||||||
return rt == NULL ? -EAGAIN : 0;
|
return err;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool fib6_rule_suppress(struct fib_rule *rule, struct fib_lookup_arg *arg)
|
static bool fib6_rule_suppress(struct fib_rule *rule, struct fib_lookup_arg *arg)
|
||||||
|
Loading…
Reference in New Issue
Block a user