From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Anirudh Gupta <anirudhrudr@gmail.com>,
Anirudh Gupta <anirudh.gupta@sophos.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Steffen Klassert <steffen.klassert@secunet.com>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.9 16/73] xfrm: Fix xfrm sel prefix length validation
Date: Mon, 15 Jul 2019 10:35:32 -0400 [thread overview]
Message-ID: <20190715143629.10893-16-sashal@kernel.org> (raw)
In-Reply-To: <20190715143629.10893-1-sashal@kernel.org>
From: Anirudh Gupta <anirudhrudr@gmail.com>
[ Upstream commit b38ff4075a80b4da5cb2202d7965332ca0efb213 ]
Family of src/dst can be different from family of selector src/dst.
Use xfrm selector family to validate address prefix length,
while verifying new sa from userspace.
Validated patch with this command:
ip xfrm state add src 1.1.6.1 dst 1.1.6.2 proto esp spi 4260196 \
reqid 20004 mode tunnel aead "rfc4106(gcm(aes))" \
0x1111016400000000000000000000000044440001 128 \
sel src 1011:1:4::2/128 sel dst 1021:1:4::2/128 dev Port5
Fixes: 07bf7908950a ("xfrm: Validate address prefix lengths in the xfrm selector.")
Signed-off-by: Anirudh Gupta <anirudh.gupta@sophos.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_user.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index ca5c79bfd9a5..df4b7fc721f6 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -150,6 +150,22 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
err = -EINVAL;
switch (p->family) {
+ case AF_INET:
+ break;
+
+ case AF_INET6:
+#if IS_ENABLED(CONFIG_IPV6)
+ break;
+#else
+ err = -EAFNOSUPPORT;
+ goto out;
+#endif
+
+ default:
+ goto out;
+ }
+
+ switch (p->sel.family) {
case AF_INET:
if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
goto out;
--
2.20.1
next prev parent reply other threads:[~2019-07-15 14:44 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-15 14:35 [PATCH AUTOSEL 4.9 01/73] ath10k: Do not send probe response template for mesh Sasha Levin
2019-07-15 14:35 ` [PATCH AUTOSEL 4.9 02/73] ath9k: Check for errors when reading SREV register Sasha Levin
2019-07-15 14:35 ` [PATCH AUTOSEL 4.9 03/73] ath6kl: add some bounds checking Sasha Levin
2019-07-15 14:35 ` [PATCH AUTOSEL 4.9 04/73] ath: DFS JP domain W56 fixed pulse type 3 RADAR detection Sasha Levin
2019-07-15 14:35 ` [PATCH AUTOSEL 4.9 05/73] batman-adv: fix for leaked TVLV handler Sasha Levin
2019-07-15 14:35 ` [PATCH AUTOSEL 4.9 11/73] net: stmmac: dwmac1000: Clear unused address entries Sasha Levin
2019-07-15 14:35 ` [PATCH AUTOSEL 4.9 12/73] net: stmmac: dwmac4/5: " Sasha Levin
2019-07-15 14:35 ` [PATCH AUTOSEL 4.9 15/73] af_key: fix leaks in key_pol_get_resp and dump_sp Sasha Levin
2019-07-15 14:35 ` Sasha Levin [this message]
2019-07-15 14:35 ` [PATCH AUTOSEL 4.9 17/73] Revert "e1000e: fix cyclic resets at link up with active tx" Sasha Levin
2019-07-15 14:35 ` [PATCH AUTOSEL 4.9 18/73] e1000e: start network tx queue only when link is up Sasha Levin
2019-07-15 14:35 ` [PATCH AUTOSEL 4.9 21/73] net: phy: Check against net_device being NULL Sasha Levin
2019-07-15 14:35 ` [PATCH AUTOSEL 4.9 28/73] net: fec: Do not use netdev messages too early Sasha Levin
2019-07-15 14:35 ` [PATCH AUTOSEL 4.9 29/73] net: axienet: Fix race condition causing TX hang Sasha Levin
2019-07-15 14:35 ` [PATCH AUTOSEL 4.9 36/73] bpf: silence warning messages in core Sasha Levin
2019-07-15 14:35 ` [PATCH AUTOSEL 4.9 39/73] xfrm: fix sa selector validation Sasha Levin
2019-07-15 14:35 ` [PATCH AUTOSEL 4.9 41/73] vhost_net: disable zerocopy by default Sasha Levin
2019-07-15 14:36 ` [PATCH AUTOSEL 4.9 44/73] ipsec: select crypto ciphers for xfrm_algo Sasha Levin
2019-07-15 14:36 ` [PATCH AUTOSEL 4.9 51/73] mt7601u: do not schedule rx_tasklet when the device has been disconnected Sasha Levin
2019-07-15 14:36 ` [PATCH AUTOSEL 4.9 53/73] mt7601u: fix possible memory leak when the device is disconnected Sasha Levin
2019-07-15 14:36 ` [PATCH AUTOSEL 4.9 54/73] ath10k: fix PCIE device wake up failed Sasha Levin
2019-07-15 14:36 ` [PATCH AUTOSEL 4.9 60/73] ixgbe: Check DDM existence in transceiver before access Sasha Levin
2019-07-15 14:36 ` [PATCH AUTOSEL 4.9 65/73] iwlwifi: mvm: Drop large non sta frames Sasha Levin
2019-07-15 14:36 ` [PATCH AUTOSEL 4.9 66/73] net: usb: asix: init MAC address buffers Sasha Levin
2019-07-15 14:36 ` [PATCH AUTOSEL 4.9 69/73] Bluetooth: 6lowpan: search for destination address in all peers Sasha Levin
2019-07-15 14:36 ` [PATCH AUTOSEL 4.9 70/73] Bluetooth: Check state in l2cap_disconnect_rsp Sasha Levin
2019-07-15 14:36 ` [PATCH AUTOSEL 4.9 71/73] Bluetooth: validate BLE connection interval updates Sasha Levin
2019-07-15 14:36 ` [PATCH AUTOSEL 4.9 72/73] gtp: fix Illegal context switch in RCU read-side critical section Sasha Levin
2019-07-15 14:36 ` [PATCH AUTOSEL 4.9 73/73] gtp: fix use-after-free in gtp_newlink() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190715143629.10893-16-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=anirudh.gupta@sophos.com \
--cc=anirudhrudr@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).