summaryrefslogtreecommitdiffstats
path: root/net/xfrm
diff options
context:
space:
mode:
authorXin Long <lucien.xin@gmail.com>2020-02-09 14:15:29 +0100
committerSteffen Klassert <steffen.klassert@secunet.com>2020-02-12 11:06:32 +0100
commit171d449a028573b2f0acdc7f31ecbb045391b320 (patch)
treec854c58aa283006d3beffbd69a608ce444c3fdaa /net/xfrm
parentvti[6]: fix packet tx through bpf_redirect() in XinY cases (diff)
downloadlinux-171d449a028573b2f0acdc7f31ecbb045391b320.tar.xz
linux-171d449a028573b2f0acdc7f31ecbb045391b320.zip
xfrm: fix uctx len check in verify_sec_ctx_len
It's not sufficient to do 'uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len)' check only, as uctx->len may be greater than nla_len(rt), in which case it will cause slab-out-of-bounds when accessing uctx->ctx_str later. This patch is to fix it by return -EINVAL when uctx->len > nla_len(rt). Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.") Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'net/xfrm')
-rw-r--r--net/xfrm/xfrm_user.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index b88ba45ff1ac..38ff02d31402 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -110,7 +110,8 @@ static inline int verify_sec_ctx_len(struct nlattr **attrs)
return 0;
uctx = nla_data(rt);
- if (uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len))
+ if (uctx->len > nla_len(rt) ||
+ uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len))
return -EINVAL;
return 0;