On Thu, 6 Sep 2018 15:31:51 +0200 Phil Sutter <p...@nwl.cc> wrote: > It was possible to crash ip-route by adding an IPv6 route with 37 > nexthop statements. A simple reproducer is: > > | for i in `seq 37`; do > | nhs="nexthop via 1111::$i "$nhs > | done > | ip -6 route add 3333::/64 $nhs > > The related code was broken in multiple ways: > > * parse_one_nh() assumed that rta points to 4kB of storage but caller > provided just 1kB. Fixed by passing 'len' parameter with the correct > value. > > * Error checking of rta_addattr*() calls in parse_one_nh() and called > functions was completely absent, so with above fix in place output > flood would occur due to parser looping forever. > > While being at it, increase message buffer sizes to 4k. This allows for > at most 144 nexthops. > > Signed-off-by: Phil Sutter <p...@nwl.cc>
Thanks for fixing this. Shows where more test cases are needed.