seg6: Fix validation of nexthop addresses

The kernel currently validates that the length of the provided nexthop
address does not exceed the specified length. This can lead to the
kernel reading uninitialized memory if user space provided a shorter
length than the specified one.

Fix by validating that the provided length exactly matches the specified
one.

Fixes: d1df6fd8a1d2 ("ipv6: sr: define core operations for seg6local lightweight tunnel")
Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20250604113252.371528-1-idosch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/ipv6/seg6_local.c b/net/ipv6/seg6_local.c
index ac1dbd492c22dc9361aa86d664e8108a69c63f70..a11a02b4ba95b6686a2d3a07fee403027f2a7611 100644 (file)
--- a/net/ipv6/seg6_local.c
+++ b/net/ipv6/seg6_local.c
@@ -1644,10 +1644,8 @@ static const struct nla_policy seg6_local_policy[SEG6_LOCAL_MAX + 1] = {
        [SEG6_LOCAL_SRH]        = { .type = NLA_BINARY },
        [SEG6_LOCAL_TABLE]      = { .type = NLA_U32 },
        [SEG6_LOCAL_VRFTABLE]   = { .type = NLA_U32 },
-       [SEG6_LOCAL_NH4]        = { .type = NLA_BINARY,
-                                   .len = sizeof(struct in_addr) },
-       [SEG6_LOCAL_NH6]        = { .type = NLA_BINARY,
-                                   .len = sizeof(struct in6_addr) },
+       [SEG6_LOCAL_NH4]        = NLA_POLICY_EXACT_LEN(sizeof(struct in_addr)),
+       [SEG6_LOCAL_NH6]        = NLA_POLICY_EXACT_LEN(sizeof(struct in6_addr)),
        [SEG6_LOCAL_IIF]        = { .type = NLA_U32 },
        [SEG6_LOCAL_OIF]        = { .type = NLA_U32 },
        [SEG6_LOCAL_BPF]        = { .type = NLA_NESTED },