diff options
| author | Xin Long <lucien.xin@gmail.com> | 2020-02-09 21:15:29 +0800 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-04-02 15:28:18 +0200 |
| commit | cf265c64c91957fd0f1b86b7427028d823966d74 (patch) | |
| tree | d1be38999864abeaa1999479548142697bb44a0a /net/xfrm | |
| parent | 2eb46d0044849a70c796e3646a6ce50e5a69a992 (diff) | |
| download | linux-stable-cf265c64c91957fd0f1b86b7427028d823966d74.tar.gz linux-stable-cf265c64c91957fd0f1b86b7427028d823966d74.tar.bz2 linux-stable-cf265c64c91957fd0f1b86b7427028d823966d74.zip | |
xfrm: fix uctx len check in verify_sec_ctx_len
commit 171d449a028573b2f0acdc7f31ecbb045391b320 upstream.
It's not sufficient to do 'uctx->len != (sizeof(struct xfrm_user_sec_ctx) +
uctx->ctx_len)' check only, as uctx->len may be greater than nla_len(rt),
in which case it will cause slab-out-of-bounds when accessing uctx->ctx_str
later.
This patch is to fix it by return -EINVAL when uctx->len > nla_len(rt).
Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net/xfrm')
| -rw-r--r-- | net/xfrm/xfrm_user.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 1484bc99a537..27d94489a091 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -109,7 +109,8 @@ static inline int verify_sec_ctx_len(struct nlattr **attrs) return 0; uctx = nla_data(rt); - if (uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len)) + if (uctx->len > nla_len(rt) || + uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len)) return -EINVAL; return 0; |