route: don't enforce minlen in inet6_parse_protinfo() (IFLA_PROTINFO) and inet_parse_af() (IFLA_AF_SPEC)

Older kernel version might have fewer values defined, so they would send
netlink messages that got rejected. Only check that at least one value
got sent.

This is especially grave as libnl uses an internal copy of the
kernel header files. Thus not only it is bound to the installed kernel
headers but to the libnl internal header copies that might easily be out
of sync with the kernel.

This affects IFLA_PROTINFO, inet6_parse_protinfo():
  - tb[IFLA_INET6_CONF], expecting DEVCONF_MAX
  - tb[IFLA_INET6_STATS], expecting __IPSTATS_MIB_MAX
  - tb[IFLA_INET6_ICMP6STATS], expecting __ICMP6_MIB_MAX
and IFLA_AF_SPEC, inet_parse_af():
  - tb[IFLA_INET_CONF], expecting IPV4_DEVCONF_MAX

https://bugzilla.redhat.com/show_bug.cgi?id=1062533

Acked-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: Thomas Haller <thaller@redhat.com>

1 files changed, 3 insertions, 1 deletions

diff --git a/lib/route/link/inet.c b/lib/route/link/inet.c
index e2c867d..eb2e8ae 100644
--- a/lib/route/link/inet.c
+++ b/lib/route/link/inet.c
@@ -92,7 +92,7 @@ static void inet_free(struct rtnl_link *link, void *data)
 }
 
 static struct nla_policy inet_policy[IFLA_INET6_MAX+1] = {
-	[IFLA_INET_CONF]	= { .minlen = IPV4_DEVCONF_MAX * 4 },
+	[IFLA_INET_CONF]	= { .minlen = 4 },
 };
 
 static int inet_parse_af(struct rtnl_link *link, struct nlattr *attr, void *data)
@@ -104,6 +104,8 @@ static int inet_parse_af(struct rtnl_link *link, struct nlattr *attr, void *data
 	err = nla_parse_nested(tb, IFLA_INET_MAX, attr, inet_policy);
 	if (err < 0)
 		return err;
+	if (tb[IFLA_INET_CONF] && nla_len(tb[IFLA_INET_CONF]) % 4)
+		return -EINVAL;
 
 	if (tb[IFLA_INET_CONF])
 		nla_memcpy(&id->i_conf, tb[IFLA_INET_CONF], sizeof(id->i_conf));