Re: [PATCH] net/mpls: fix missing NULL check in mpls_valid_fib_dump_req

Next message: David Hildenbrand (Arm): "Re: [PATCH] mm: update outdated comments for removed scan_swap_map_slots()"
Previous message: Paul Menzel: "Re: [Intel-wired-lan] [PATCH iwl-net] iavf: fix wrong VLAN mask for legacy Rx descriptors L2TAG2"
In reply to: sunichi: "[PATCH] net/mpls: fix missing NULL check in mpls_valid_fib_dump_req"
Next in thread: sunichi: "Re: [PATCH] net/mpls: fix missing NULL check in mpls_valid_fib_dump_req"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Nikolay Aleksandrov

Date: Mon Mar 23 2026 - 04:59:27 EST

On Mon, Mar 23, 2026 at 03:15:15PM +0800, sunichi wrote:
> The attribute tb[RTA_OIF] is dereferenced without verifying if it is NULL.
> If this attribute is missing in the user netlink message, it will cause a
> NULL pointer dereference and kernel panic.
>
> Add the necessary check before using the pointer to prevent the crash.
>
> Signed-off-by: sunichi <sunyiqixm@xxxxxxxxx>
> ---
> net/mpls/af_mpls.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
> index d5417688f69e..28bbea30aae3 100644
> --- a/net/mpls/af_mpls.c
> +++ b/net/mpls/af_mpls.c
> @@ -2174,6 +2174,8 @@ static int mpls_valid_fib_dump_req(struct net *net, const struct nlmsghdr *nlh,
> int ifindex;
>
> if (i == RTA_OIF) {
> + if (!tb[i])
> + return -EINVAL;
> ifindex = nla_get_u32(tb[i]);
> filter->dev = dev_get_by_index_rcu(net, ifindex);
> if (!filter->dev)
> --
> 2.34.1
>

Why necessary ? Did you actually test and see any problem?

RTA_OIF is parsed as NLA_U32 according to rtm_mpls_policy and
nla_for_each_attr walks over all attributes in the msg which
means it is set and we must have at least that many bytes
available for the attribute. So how can it be NULL?