xfrm: fix uctx len check in verify_sec_ctx_len - user/sven/linux.git

diff options

author	Xin Long <lucien.xin@gmail.com>	2020-02-09 21:15:29 +0800
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2020-04-01 11:02:06 +0200
commit	a5c5cf6f24bb37fdb79f519fd7b905374dfbfc32 (patch)
tree	fe45b6c6ea6a8802641763b518a93ddccd349656 /include
parent	1b92d81d4cc208fe5eb3389b257fe932cf0ac331 (diff)

xfrm: fix uctx len check in verify_sec_ctx_len

commit 171d449a028573b2f0acdc7f31ecbb045391b320 upstream. It's not sufficient to do 'uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len)' check only, as uctx->len may be greater than nla_len(rt), in which case it will cause slab-out-of-bounds when accessing uctx->ctx_str later. This patch is to fix it by return -EINVAL when uctx->len > nla_len(rt). Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.") Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'include')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: