mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-01 22:54:01 +00:00
xfrm: fix uctx len check in verify_sec_ctx_len
commit171d449a02
upstream. It's not sufficient to do 'uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len)' check only, as uctx->len may be greater than nla_len(rt), in which case it will cause slab-out-of-bounds when accessing uctx->ctx_str later. This patch is to fix it by return -EINVAL when uctx->len > nla_len(rt). Fixes:df71837d50
("[LSM-IPSec]: Security association restriction.") Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
2eb46d0044
commit
cf265c64c9
1 changed files with 2 additions and 1 deletions
|
@ -109,7 +109,8 @@ static inline int verify_sec_ctx_len(struct nlattr **attrs)
|
|||
return 0;
|
||||
|
||||
uctx = nla_data(rt);
|
||||
if (uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len))
|
||||
if (uctx->len > nla_len(rt) ||
|
||||
uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len))
|
||||
return -EINVAL;
|
||||
|
||||
return 0;
|
||||
|
|
Loading…
Reference in a new issue