seg6: Fix validation of nexthop addresses

[ Upstream commit 7632fedb266d93ed0ed9f487133e6c6314a9b2d1 ]

The kernel currently validates that the length of the provided nexthop
address does not exceed the specified length. This can lead to the
kernel reading uninitialized memory if user space provided a shorter
length than the specified one.

Fix by validating that the provided length exactly matches the specified
one.

Fixes: d1df6fd8a1d2 ("ipv6: sr: define core operations for seg6local lightweight tunnel")
Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20250604113252.371528-1-idosch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/ipv6/seg6_local.c b/net/ipv6/seg6_local.c
index 0b64cf5b0f267522c3f7b9dfb6dcc44e160b5d6a..98af48b3fcce6165c512731f36f01c7ef55014d7 100644 (file)
--- a/net/ipv6/seg6_local.c
+++ b/net/ipv6/seg6_local.c
@@ -1123,10 +1123,8 @@ static const struct nla_policy seg6_local_policy[SEG6_LOCAL_MAX + 1] = {
        [SEG6_LOCAL_SRH]        = { .type = NLA_BINARY },
        [SEG6_LOCAL_TABLE]      = { .type = NLA_U32 },
        [SEG6_LOCAL_VRFTABLE]   = { .type = NLA_U32 },
-       [SEG6_LOCAL_NH4]        = { .type = NLA_BINARY,
-                                   .len = sizeof(struct in_addr) },
-       [SEG6_LOCAL_NH6]        = { .type = NLA_BINARY,
-                                   .len = sizeof(struct in6_addr) },
+       [SEG6_LOCAL_NH4]        = NLA_POLICY_EXACT_LEN(sizeof(struct in_addr)),
+       [SEG6_LOCAL_NH6]        = NLA_POLICY_EXACT_LEN(sizeof(struct in6_addr)),
        [SEG6_LOCAL_IIF]        = { .type = NLA_U32 },
        [SEG6_LOCAL_OIF]        = { .type = NLA_U32 },
        [SEG6_LOCAL_BPF]        = { .type = NLA_NESTED },