diff options
| author | Steffen Klassert <steffen.klassert@secunet.com> | 2014-04-29 01:50:44 -0400 |
|---|---|---|
| committer | Steffen Klassert <steffen.klassert@secunet.com> | 2014-04-29 02:41:12 -0400 |
| commit | 61622cc6f29034d0479f7ac16f3d48f1eeabf3a1 (patch) | |
| tree | b49867c60edbdcff26cf967c42f103493991746e | |
| parent | a32452366b7250c42e96a18ffc3ad8db9e0ca3c2 (diff) | |
xfrm4: Properly handle unsupported protocols
We don't catch the case if an unsupported protocol is submitted
to the xfrm4 protocol handlers, this can lead to NULL pointer
dereferences. Fix this by adding the appropriate checks.
Fixes: 3328715e ("xfrm4: Add IPsec protocol multiplexer")
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
| -rw-r--r-- | net/ipv4/xfrm4_protocol.c | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/net/ipv4/xfrm4_protocol.c b/net/ipv4/xfrm4_protocol.c index 7f7b243e8139..a2ce0101eaac 100644 --- a/net/ipv4/xfrm4_protocol.c +++ b/net/ipv4/xfrm4_protocol.c | |||
| @@ -50,8 +50,12 @@ int xfrm4_rcv_cb(struct sk_buff *skb, u8 protocol, int err) | |||
| 50 | { | 50 | { |
| 51 | int ret; | 51 | int ret; |
| 52 | struct xfrm4_protocol *handler; | 52 | struct xfrm4_protocol *handler; |
| 53 | struct xfrm4_protocol __rcu **head = proto_handlers(protocol); | ||
| 53 | 54 | ||
| 54 | for_each_protocol_rcu(*proto_handlers(protocol), handler) | 55 | if (!head) |
| 56 | return 0; | ||
| 57 | |||
| 58 | for_each_protocol_rcu(*head, handler) | ||
| 55 | if ((ret = handler->cb_handler(skb, err)) <= 0) | 59 | if ((ret = handler->cb_handler(skb, err)) <= 0) |
| 56 | return ret; | 60 | return ret; |
| 57 | 61 | ||
| @@ -64,15 +68,20 @@ int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi, | |||
| 64 | { | 68 | { |
| 65 | int ret; | 69 | int ret; |
| 66 | struct xfrm4_protocol *handler; | 70 | struct xfrm4_protocol *handler; |
| 71 | struct xfrm4_protocol __rcu **head = proto_handlers(nexthdr); | ||
| 67 | 72 | ||
| 68 | XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL; | 73 | XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL; |
| 69 | XFRM_SPI_SKB_CB(skb)->family = AF_INET; | 74 | XFRM_SPI_SKB_CB(skb)->family = AF_INET; |
| 70 | XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); | 75 | XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); |
| 71 | 76 | ||
| 72 | for_each_protocol_rcu(*proto_handlers(nexthdr), handler) | 77 | if (!head) |
| 78 | goto out; | ||
| 79 | |||
| 80 | for_each_protocol_rcu(*head, handler) | ||
| 73 | if ((ret = handler->input_handler(skb, nexthdr, spi, encap_type)) != -EINVAL) | 81 | if ((ret = handler->input_handler(skb, nexthdr, spi, encap_type)) != -EINVAL) |
| 74 | return ret; | 82 | return ret; |
| 75 | 83 | ||
| 84 | out: | ||
| 76 | icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0); | 85 | icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0); |
| 77 | 86 | ||
| 78 | kfree_skb(skb); | 87 | kfree_skb(skb); |
| @@ -208,6 +217,9 @@ int xfrm4_protocol_register(struct xfrm4_protocol *handler, | |||
| 208 | int ret = -EEXIST; | 217 | int ret = -EEXIST; |
| 209 | int priority = handler->priority; | 218 | int priority = handler->priority; |
| 210 | 219 | ||
| 220 | if (!proto_handlers(protocol) || !netproto(protocol)) | ||
| 221 | return -EINVAL; | ||
| 222 | |||
| 211 | mutex_lock(&xfrm4_protocol_mutex); | 223 | mutex_lock(&xfrm4_protocol_mutex); |
| 212 | 224 | ||
| 213 | if (!rcu_dereference_protected(*proto_handlers(protocol), | 225 | if (!rcu_dereference_protected(*proto_handlers(protocol), |
| @@ -250,6 +262,9 @@ int xfrm4_protocol_deregister(struct xfrm4_protocol *handler, | |||
| 250 | struct xfrm4_protocol *t; | 262 | struct xfrm4_protocol *t; |
| 251 | int ret = -ENOENT; | 263 | int ret = -ENOENT; |
| 252 | 264 | ||
| 265 | if (!proto_handlers(protocol) || !netproto(protocol)) | ||
| 266 | return -EINVAL; | ||
| 267 | |||
| 253 | mutex_lock(&xfrm4_protocol_mutex); | 268 | mutex_lock(&xfrm4_protocol_mutex); |
| 254 | 269 | ||
| 255 | for (pprev = proto_handlers(protocol); | 270 | for (pprev = proto_handlers(protocol); |