[PATCH 4.9 16/54] net: ipv4: fix multipath RTM_GETROUTE behavior when iif is given

From: Greg Kroah-Hartman
Date: Mon May 01 2017 - 17:58:00 EST

4.9-stable review patch. If anyone has any objections, please let me know.


From: Florian Larysch <fl@xxxxxxx>

[ Upstream commit a8801799c6975601fd58ae62f48964caec2eb83f ]

inet_rtm_getroute synthesizes a skeletal ICMP skb, which is passed to
ip_route_input when iif is given. If a multipath route is present for
the designated destination, ip_multipath_icmp_hash ends up being called,
which uses the source/destination addresses within the skb to calculate
a hash. However, those are not set in the synthetic skb, causing it to
return an arbitrary and incorrect result.

Instead, use UDP, which gets no such special treatment.

Signed-off-by: Florian Larysch <fl@xxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
net/ipv4/route.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2569,7 +2569,7 @@ static int inet_rtm_getroute(struct sk_b

/* Bugfix: need to give ip_route_input enough of an IP header to not gag. */
- ip_hdr(skb)->protocol = IPPROTO_ICMP;
+ ip_hdr(skb)->protocol = IPPROTO_UDP;
skb_reserve(skb, MAX_HEADER + sizeof(struct iphdr));

src = tb[RTA_SRC] ? nla_get_in_addr(tb[RTA_SRC]) : 0;