netconfig: Set a limit on number of routes from ICMPv6

While some networks can be configured in a way that prevents rogue Router Advertisements from reaching clients, add a very basic mechanism to avoid a denial-of-service in such a case by limiting the number of routes we track from RAs. This won't prevent the loss of routing but might prevent OOM crashes or slowdowns.
author: Andrew Zaborowski <andrew.zaborowski@intel.com> 2022-06-16 00:47:37 +0200
committer: Denis Kenzior <denkenz@gmail.com> 2022-06-17 11:07:52 -0500
commit: b287eafe3e585fffd108401a051e0aa8504c7bbd (patch)
tree: 0230035677668796aa40e301a3f9ff333edfa984
parent: 6eb8b8bccdcbbd15e1c788f125dc58735547b45d (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/ell/netconfig.c b/ell/netconfig.c
index 79d721c2..ff6bca27 100644
--- a/ell/netconfig.c
+++ b/ell/netconfig.c
@@ -133,6 +133,8 @@ union netconfig_addr {
 static struct l_queue *addr_wait_list;
 static unsigned int rtnl_id;
 
+static const unsigned int max_icmp6_routes = 100;
+
 static void netconfig_update_cleanup(struct l_netconfig *nc)
 {
 	l_queue_clear(nc->addresses.added, NULL);
@@ -743,6 +745,9 @@ static struct netconfig_route_data *netconfig_add_icmp6_route(
 	struct netconfig_route_data *rd;
 	struct l_rtnl_route *rt;
 
+	if (l_queue_length(nc->icmp_route_data) >= max_icmp6_routes)
+		return NULL;	/* TODO: log a warning the first time */
+
 	rt = netconfig_route_new(nc, AF_INET6, dst ? dst->address : NULL,
 					dst ? dst->prefix_len : 0, gateway,
 					RTPROT_RA);
author	Andrew Zaborowski <andrew.zaborowski@intel.com>	2022-06-16 00:47:37 +0200
committer	Denis Kenzior <denkenz@gmail.com>	2022-06-17 11:07:52 -0500
commit	b287eafe3e585fffd108401a051e0aa8504c7bbd (patch)
tree	0230035677668796aa40e301a3f9ff333edfa984
parent	6eb8b8bccdcbbd15e1c788f125dc58735547b45d (diff)