summaryrefslogtreecommitdiffstats
path: root/net/xfrm
diff options
context:
space:
mode:
authorMathias Krause <minipli@googlemail.com>2012-09-13 11:41:26 +0000
committerDavid S. Miller <davem@davemloft.net>2012-09-18 16:13:45 -0400
commit864745d291b5ba80ea0bd0edcbe67273de368836 (patch)
tree3a1f7ea5641d94680f30514c88b4996e736926bc /net/xfrm
parent2c20cbd7e3aa6e9dddc07975d3f3a89fe1f69c00 (diff)
downloadlinux-stable-864745d291b5ba80ea0bd0edcbe67273de368836.tar.gz
linux-stable-864745d291b5ba80ea0bd0edcbe67273de368836.tar.bz2
linux-stable-864745d291b5ba80ea0bd0edcbe67273de368836.zip
xfrm_user: return error pointer instead of NULL
When dump_one_state() returns an error, e.g. because of a too small buffer to dump the whole xfrm state, xfrm_state_netlink() returns NULL instead of an error pointer. But its callers expect an error pointer and therefore continue to operate on a NULL skbuff. This could lead to a privilege escalation (execution of user code in kernel context) if the attacker has CAP_NET_ADMIN and is able to map address 0. Signed-off-by: Mathias Krause <minipli@googlemail.com> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/xfrm')
-rw-r--r--net/xfrm/xfrm_user.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index e75d8e47f35c..dac08e2a5a93 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -878,6 +878,7 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
{
struct xfrm_dump_info info;
struct sk_buff *skb;
+ int err;
skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
if (!skb)
@@ -888,9 +889,10 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
info.nlmsg_seq = seq;
info.nlmsg_flags = 0;
- if (dump_one_state(x, 0, &info)) {
+ err = dump_one_state(x, 0, &info);
+ if (err) {
kfree_skb(skb);
- return NULL;
+ return ERR_PTR(err);
}
return skb;