xfrm: Fix xfrm_input() to verify state is valid when (encap_type < 0)

Code path when (encap_type < 0) does not verify the state is valid
before progressing.

This will result in a crash if, for instance, x->km.state ==
XFRM_STATE_ACQ.

Fixes: 7785bba299a8 ("esp: Add a software GRO codepath")
Signed-off-by: Aviv Heller <avivh@mellanox.com>
Signed-off-by: Yevgeny Kliteynik <kliteyn@mellanox.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

1 files changed, 11 insertions, 1 deletions

diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 347ab31574d5..da6447389ffb 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -207,7 +207,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
         xfrm_address_t *daddr;
         struct xfrm_mode *inner_mode;
         u32 mark = skb->mark;
-        unsigned int family;
+        unsigned int family = AF_UNSPEC;
         int decaps = 0;
         int async = 0;
         bool xfrm_gro = false;
@@ -216,6 +216,16 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 
         if (encap_type < 0) {
                 x = xfrm_input_state(skb);
+
+                if (unlikely(x->km.state != XFRM_STATE_VALID)) {
+                        if (x->km.state == XFRM_STATE_ACQ)
+                                XFRM_INC_STATS(net, LINUX_MIB_XFRMACQUIREERROR);
+                        else
+                                XFRM_INC_STATS(net,
+                                               LINUX_MIB_XFRMINSTATEINVALID);
+                        goto drop;
+                }
+
                 family = x->outer_mode->afinfo->family;
 
                 /* An encap_type of -1 indicates async resumption. */