Commit e2b19125e94124daaeda1ddcf9b85b04575ad86f
Committed by
David S. Miller
David S. Miller
1 parent
af2f464e32
Exists in
master
and in
4 other branches
xfrm: Check for esn buffer len in xfrm_new_ae
In xfrm_new_ae() we may overwrite the allocated esn replay state buffer with a wrong size. So check that the new size matches the original allocated size and return an error if this is not the case. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 1 changed file with 21 additions and 0 deletions Side-by-side Diff
net/xfrm/xfrm_user.c
| ... | ... | @@ -360,6 +360,23 @@ |
| 360 | 360 | return 0; |
| 361 | 361 | } |
| 362 | 362 | |
| 363 | +static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_esn, | |
| 364 | + struct nlattr *rp) | |
| 365 | +{ | |
| 366 | + struct xfrm_replay_state_esn *up; | |
| 367 | + | |
| 368 | + if (!replay_esn || !rp) | |
| 369 | + return 0; | |
| 370 | + | |
| 371 | + up = nla_data(rp); | |
| 372 | + | |
| 373 | + if (xfrm_replay_state_esn_len(replay_esn) != | |
| 374 | + xfrm_replay_state_esn_len(up)) | |
| 375 | + return -EINVAL; | |
| 376 | + | |
| 377 | + return 0; | |
| 378 | +} | |
| 379 | + | |
| 363 | 380 | static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn, |
| 364 | 381 | struct xfrm_replay_state_esn **preplay_esn, |
| 365 | 382 | struct nlattr *rta) |
| ... | ... | @@ -1764,6 +1781,10 @@ |
| 1764 | 1781 | return -ESRCH; |
| 1765 | 1782 | |
| 1766 | 1783 | if (x->km.state != XFRM_STATE_VALID) |
| 1784 | + goto out; | |
| 1785 | + | |
| 1786 | + err = xfrm_replay_verify_len(x->replay_esn, rp); | |
| 1787 | + if (err) | |
| 1767 | 1788 | goto out; |
| 1768 | 1789 | |
| 1769 | 1790 | spin_lock_bh(&x->lock); |