From: Steffen Klassert <steffen.klassert@secunet.com>
To: David Miller <davem@davemloft.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
Steffen Klassert <steffen.klassert@secunet.com>,
<netdev@vger.kernel.org>
Subject: [PATCH 3/8] xfrm: fix uctx len check in verify_sec_ctx_len
Date: Fri, 27 Mar 2020 09:10:02 +0100 [thread overview]
Message-ID: <20200327081007.1185-4-steffen.klassert@secunet.com> (raw)
In-Reply-To: <20200327081007.1185-1-steffen.klassert@secunet.com>
From: Xin Long <lucien.xin@gmail.com>
It's not sufficient to do 'uctx->len != (sizeof(struct xfrm_user_sec_ctx) +
uctx->ctx_len)' check only, as uctx->len may be greater than nla_len(rt),
in which case it will cause slab-out-of-bounds when accessing uctx->ctx_str
later.
This patch is to fix it by return -EINVAL when uctx->len > nla_len(rt).
Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/xfrm/xfrm_user.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index b88ba45ff1ac..38ff02d31402 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -110,7 +110,8 @@ static inline int verify_sec_ctx_len(struct nlattr **attrs)
return 0;
uctx = nla_data(rt);
- if (uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len))
+ if (uctx->len > nla_len(rt) ||
+ uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len))
return -EINVAL;
return 0;
--
2.17.1
next prev parent reply other threads:[~2020-03-27 8:10 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-27 8:09 pull request (net): ipsec 2020-03-27 Steffen Klassert
2020-03-27 8:10 ` [PATCH 1/8] xfrm: handle NETDEV_UNREGISTER for xfrm device Steffen Klassert
2020-03-27 8:10 ` [PATCH 2/8] vti[6]: fix packet tx through bpf_redirect() in XinY cases Steffen Klassert
2020-03-27 8:10 ` Steffen Klassert [this message]
2020-03-27 8:10 ` [PATCH 4/8] xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire Steffen Klassert
2020-03-27 8:10 ` [PATCH 5/8] ipv6: xfrm6_tunnel.c: Use built-in RCU list checking Steffen Klassert
2020-03-27 8:10 ` [PATCH 6/8] esp: remove the skb from the chain when it's enqueued in cryptd_wq Steffen Klassert
2020-03-27 8:10 ` [PATCH 7/8] vti6: Fix memory leak of skb if input policy check fails Steffen Klassert
2020-03-27 8:10 ` [PATCH 8/8] xfrm: policy: Fix doulbe free in xfrm_policy_timer Steffen Klassert
2020-03-27 21:57 ` pull request (net): ipsec 2020-03-27 David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200327081007.1185-4-steffen.klassert@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).