Linux Ethernet Bridging - Dec 2018 - [Bridge] [PATCH net] net: rtnetlink: address is mandatory for rtnl_fdb_get

On 30/12/2018 06:01, syzbot wrote:
> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:??? 90cadbbf341d Merge
git://git.kernel.org/pub/scm/linux/kern..
> git tree:?????? net-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1745c69b400000
> kernel config:? https://syzkaller.appspot.com/x/.config?x=9d41c8529d7e7362
> dashboard link:
https://syzkaller.appspot.com/bug?extid=017b1f61c82a1c3e7efd
> compiler:?????? gcc (GCC) 8.0.1 20180413 (experimental)
> syz repro:????? https://syzkaller.appspot.com/x/repro.syz?x=15babaab400000
> C reproducer:?? https://syzkaller.appspot.com/x/repro.c?x=14c6142d400000
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+017b1f61c82a1c3e7efd at syzkaller.appspotmail.com
> 
Ah yes, good catch. We've missed this obvious bug during the review.
A patch is on its way, just need to run a few tests.

Cheers,
 Nik

We must have an address to lookup otherwise we'll derefence a null
pointer in the ndo_fdb_get callbacks.

CC: Roopa Prabhu <roopa at cumulusnetworks.com>
CC: David Ahern <dsa at cumulusnetworks.com>
Reported-by: syzbot+017b1f61c82a1c3e7efd at syzkaller.appspotmail.com
Fixes: 5b2f94b27622 ("net: rtnetlink: support for fdb get")
Signed-off-by: Nikolay Aleksandrov <nikolay at cumulusnetworks.com>
---
 net/core/rtnetlink.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 48f61885fd6f..5ea1bed08ede 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -4104,6 +4104,11 @@ static int rtnl_fdb_get(struct sk_buff *in_skb, struct
nlmsghdr *nlh,
 	if (err < 0)
 		return err;
 
+	if (!addr) {
+		NL_SET_ERR_MSG(extack, "Missing lookup address for fdb get
request");
+		return -EINVAL;
+	}
+
 	if (brport_idx) {
 		dev = __dev_get_by_index(net, brport_idx);
 		if (!dev) {
-- 
2.19.2