]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit
projects / mirror_ubuntu-bionic-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d0d31e7) | patch
xfrm: fix uctx len check in verify_sec_ctx_len
authorXin Long <lucien.xin@gmail.com>
Sun, 9 Feb 2020 13:15:29 +0000 (21:15 +0800)
committerKleber Sacilotto de Souza <kleber.souza@canonical.com>
Tue, 7 Apr 2020 08:52:51 +0000 (10:52 +0200)
commit70b534c324252a1e68b45ee1e562b1c9e3a2d1c9
tree3873b28148e365fe1740d13e09d5d9a15890663etree
parentd0d31e72b6df98f072684e5a998139f05ec905c7commit | diff
xfrm: fix uctx len check in verify_sec_ctx_len

BugLink: https://bugs.launchpad.net/bugs/1870604
commit 171d449a028573b2f0acdc7f31ecbb045391b320 upstream.

It's not sufficient to do 'uctx->len != (sizeof(struct xfrm_user_sec_ctx) +
uctx->ctx_len)' check only, as uctx->len may be greater than nla_len(rt),
in which case it will cause slab-out-of-bounds when accessing uctx->ctx_str
later.

This patch is to fix it by return -EINVAL when uctx->len > nla_len(rt).

Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
net/xfrm/xfrm_user.c diff | blob | blame | history
ubuntu-bionic-kernel mirror