diff options
author | Stefano Brivio <sbrivio@redhat.com> | 2024-04-23 22:29:25 +0200 |
---|---|---|
committer | Stefano Brivio <sbrivio@redhat.com> | 2024-05-11 00:52:19 +0200 |
commit | 623c2fd621e79f8a6e4d260d2dbfad1ce0f4e8fc (patch) | |
tree | 681639cc1342f3c089ba58b6ffaf4bca7ff93c36 /contrib/apparmor/usr.bin.pasta | |
parent | 72884484b00dbab548da056972e28ddb85518386 (diff) | |
download | passt-623c2fd621e79f8a6e4d260d2dbfad1ce0f4e8fc.tar passt-623c2fd621e79f8a6e4d260d2dbfad1ce0f4e8fc.tar.gz passt-623c2fd621e79f8a6e4d260d2dbfad1ce0f4e8fc.tar.bz2 passt-623c2fd621e79f8a6e4d260d2dbfad1ce0f4e8fc.tar.lz passt-623c2fd621e79f8a6e4d260d2dbfad1ce0f4e8fc.tar.xz passt-623c2fd621e79f8a6e4d260d2dbfad1ce0f4e8fc.tar.zst passt-623c2fd621e79f8a6e4d260d2dbfad1ce0f4e8fc.zip |
netlink: Don't duplicate routes referring to unrelated host interfaces
We take care of this in nl_addr_dup(): if the interface index
associated to an address doesn't match the selected host interface
(ifa->ifa_index != ifi_src), we don't copy that address.
But for routes, we just unconditionally update the interface index to
match the index in the target namespace, even if the source interface
didn't match.
This might happen in two cases: with a pre-4.20 kernel without support
for NETLINK_GET_STRICT_CHK, which won't filter routes based on the
interface we pass in the request, as reported by runsisi, and any
kernel with support for multipath routes where any of the nexthops
refers to an unrelated host interface.
In both cases, check the index of the source interface, and avoid
copying unrelated routes.
Reported-by: runsisi <runsisi@hust.edu.cn>
Link: https://bugs.passt.top/show_bug.cgi?id=86
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: runsisi <runsisi@hust.edu.cn>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Diffstat (limited to 'contrib/apparmor/usr.bin.pasta')
0 files changed, 0 insertions, 0 deletions