[PATCH 1/2] netlink: Fix iterations over nexthop objects

23 Apr 2024

Somewhat confusingly, RTNH_NEXT(), as defined by ,
doesn't take an attribute length parameter like RTA_NEXT() does, and
I just modelled loops over nexthops after RTA loops, forgetting to
decrease the remaining length we pass to RTNH_OK().

In practice, this didn't cause issue in any of the combinations I
checked, at least without the next patch.

We seem to be the only user of RTNH_OK(): even iproute2 has an
open-coded version of it in print_rta_multipath() (ip/iproute.c).

Introduce RTNH_NEXT_AND_DEC(), similar to RTA_NEXT(), and use it.

Fixes: 6c7623d07bbd ("netlink: Add support to fetch default gateway from multipath routes")
Fixes: f4e38b5cd232 ("netlink: Adjust interface index inside copied nexthop objects too")
Signed-off-by: Stefano Brivio 
---
 netlink.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/netlink.c b/netlink.c
index 89c0641..a5a4870 100644
--- a/netlink.c
+++ b/netlink.c
@@ -36,6 +36,10 @@
 #include "ip.h"
 #include "netlink.h"
 
+/* Same as RTA_NEXT() but for nexthops: RTNH_NEXT() doesn't take 'attrlen' */
+#define RTNH_NEXT_AND_DEC(rtnh, attrlen)				\
+	((attrlen) -= RTNH_ALIGN((rtnh)->rtnh_len), RTNH_NEXT(rtnh))
+
 /* Netlink expects a buffer of at least 8kiB or the system page size,
  * whichever is larger.  32kiB is recommended for more efficient.
  * Since the largest page size on any remotely common Linux setup is
@@ -349,12 +353,13 @@ unsigned int nl_get_ext_if(int s, sa_family_t af)
  */
 bool nl_route_get_def_multipath(struct rtattr *rta, void *gw)
 {
+	size_t nh_len = RTA_PAYLOAD(rta);
 	struct rtnexthop *rtnh;
 	bool found = false;
 	int hops = -1;
 
 	for (rtnh = (struct rtnexthop *)RTA_DATA(rta);
-	     RTNH_OK(rtnh, RTA_PAYLOAD(rta)); rtnh = RTNH_NEXT(rtnh)) {
+	     RTNH_OK(rtnh, nh_len); rtnh = RTNH_NEXT_AND_DEC(rtnh, nh_len)) {
 		size_t len = rtnh->rtnh_len - sizeof(*rtnh);
 		struct rtattr *rta_inner;
 
@@ -566,11 +571,12 @@ int nl_route_dup(int s_src, unsigned int ifi_src,
 			if (rta->rta_type == RTA_OIF) {
 				*(unsigned int *)RTA_DATA(rta) = ifi_dst;
 			} else if (rta->rta_type == RTA_MULTIPATH) {
+				size_t nh_len = RTA_PAYLOAD(rta);
 				struct rtnexthop *rtnh;
 
 				for (rtnh = (struct rtnexthop *)RTA_DATA(rta);
-				     RTNH_OK(rtnh, RTA_PAYLOAD(rta));
-				     rtnh = RTNH_NEXT(rtnh))
+				     RTNH_OK(rtnh, nh_len);
+				     rtnh = RTNH_NEXT_AND_DEC(rtnh, nh_len))
 					rtnh->rtnh_ifindex = ifi_dst;
 			} else if (rta->rta_type == RTA_PREFSRC) {
 				/* Host routes might include a preferred source
-- 
2.43.0

    