nexthop_select_path() may return null if either .nh is null or the
number of nexthops is 0 (rc == NULL). We need to check its return value
before use to avoid deferencing a null ptr.
Fixes: 4c7e8084fd46 ("ipv4: Plumb support for nexthop object in a fib_info")
Fixes: f88d8ea67fbd ("ipv6: Plumb support for nexthop object in a fib6_info")
Signed-off-by: Nikolay Aleksandrov <[email protected]>
---
Could you please confirm that simply returning in the IPv6 case is ok?
AFAICT it's fine, I've also tested it, but I'm a bit worried about
ip6_pol_route_lookup -> ip6_create_rt_rcu and the second directly
deferencing res->nh. I think rt6_device_match() should take care of
that case, but I'd appreciate more eyes on that. :)
include/net/nexthop.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/include/net/nexthop.h b/include/net/nexthop.h
index c440ccc861fc..7cc4343cdbfc 100644
--- a/include/net/nexthop.h
+++ b/include/net/nexthop.h
@@ -203,6 +203,8 @@ static inline void nexthop_path_fib_result(struct
fib_result *res, int hash)
struct nexthop *nh;
nh = nexthop_select_path(res->fi->nh, hash);
+ if (unlikely(!nh))
+ return;
nhi = rcu_dereference(nh->nh_info);
res->nhc = &nhi->fib_nhc;
}
@@ -290,7 +292,8 @@ static inline void nexthop_path_fib6_result(struct
fib6_result *res, int hash)
struct nh_info *nhi;
nh = nexthop_select_path(nh, hash);
-
+ if (unlikely(!nh))
+ return;
nhi = rcu_dereference_rtnl(nh->nh_info);
if (nhi->reject_nh) {
res->fib6_type = RTN_BLACKHOLE;
--
2.25.2
