Commit e2b19125e94124daaeda1ddcf9b85b04575ad86f
Committed by
David S. Miller
1 parent
af2f464e32
Exists in
master
and in
4 other branches
xfrm: Check for esn buffer len in xfrm_new_ae
In xfrm_new_ae() we may overwrite the allocated esn replay state buffer with a wrong size. So check that the new size matches the original allocated size and return an error if this is not the case. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 1 changed file with 21 additions and 0 deletions Side-by-side Diff
net/xfrm/xfrm_user.c
... | ... | @@ -360,6 +360,23 @@ |
360 | 360 | return 0; |
361 | 361 | } |
362 | 362 | |
363 | +static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_esn, | |
364 | + struct nlattr *rp) | |
365 | +{ | |
366 | + struct xfrm_replay_state_esn *up; | |
367 | + | |
368 | + if (!replay_esn || !rp) | |
369 | + return 0; | |
370 | + | |
371 | + up = nla_data(rp); | |
372 | + | |
373 | + if (xfrm_replay_state_esn_len(replay_esn) != | |
374 | + xfrm_replay_state_esn_len(up)) | |
375 | + return -EINVAL; | |
376 | + | |
377 | + return 0; | |
378 | +} | |
379 | + | |
363 | 380 | static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn, |
364 | 381 | struct xfrm_replay_state_esn **preplay_esn, |
365 | 382 | struct nlattr *rta) |
... | ... | @@ -1764,6 +1781,10 @@ |
1764 | 1781 | return -ESRCH; |
1765 | 1782 | |
1766 | 1783 | if (x->km.state != XFRM_STATE_VALID) |
1784 | + goto out; | |
1785 | + | |
1786 | + err = xfrm_replay_verify_len(x->replay_esn, rp); | |
1787 | + if (err) | |
1767 | 1788 | goto out; |
1768 | 1789 | |
1769 | 1790 | spin_lock_bh(&x->lock); |