diff options
| author | Steffen Klassert <steffen.klassert@secunet.com> | 2017-05-05 07:40:42 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-04-13 19:52:09 +0200 |
| commit | bc705996bb341187df2bbcbf1b6c2c1cf330ef40 (patch) | |
| tree | cd903b5a18634c0a9b212173b1e7af5c679e0240 /net | |
| parent | 51188ac2676d861fb53303a9a394b86f4e7467c6 (diff) | |
| download | linux-stable-bc705996bb341187df2bbcbf1b6c2c1cf330ef40.tar.gz linux-stable-bc705996bb341187df2bbcbf1b6c2c1cf330ef40.tar.bz2 linux-stable-bc705996bb341187df2bbcbf1b6c2c1cf330ef40.zip | |
af_key: Fix slab-out-of-bounds in pfkey_compile_policy.
[ Upstream commit d90c902449a7561f1b1d58ba5a0d11728ce8b0b2 ]
The sadb_x_sec_len is stored in the unit 'byte divided by eight'.
So we have to multiply this value by eight before we can do
size checks. Otherwise we may get a slab-out-of-bounds when
we memcpy the user sec_ctx.
Fixes: df71837d502 ("[LSM-IPSec]: Security association restriction.")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/key/af_key.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c index 65cce8ceaead..64dbf0dbe358 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c @@ -3301,7 +3301,7 @@ static struct xfrm_policy *pfkey_compile_policy(struct sock *sk, int opt, p += pol->sadb_x_policy_len*8; sec_ctx = (struct sadb_x_sec_ctx *)p; if (len < pol->sadb_x_policy_len*8 + - sec_ctx->sadb_x_sec_len) { + sec_ctx->sadb_x_sec_len*8) { *dir = -EINVAL; goto out; } |