diff options
| author | David S. Miller <davem@davemloft.net> | 2018-10-02 01:29:25 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2018-10-02 01:29:25 -0400 |
| commit | ee0b6f4834b59bb0002e2dc8f42a73a399a9246e (patch) | |
| tree | 65a961ef84af7aa50c82a5318b68911076508869 | |
| parent | 1ad98e9d1bdf4724c0a8532fabd84bf3c457c2bc (diff) | |
| parent | 32bf94fb5c2ec4ec842152d0e5937cd4bb6738fa (diff) | |
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec
Steffen Klassert says:
====================
pull request (net): ipsec 2018-10-01
1) Validate address prefix lengths in the xfrm selector,
otherwise we may hit undefined behaviour in the
address matching functions if the prefix is too
big for the given address family.
2) Fix skb leak on local message size errors.
From Thadeu Lima de Souza Cascardo.
3) We currently reset the transport header back to the network
header after a transport mode transformation is applied. This
leads to an incorrect transport header when multiple transport
mode transformations are applied. Reset the transport header
only after all transformations are already applied to fix this.
From Sowmini Varadhan.
4) We only support one offloaded xfrm, so reset crypto_done after
the first transformation in xfrm_input(). Otherwise we may call
the wrong input method for subsequent transformations.
From Sowmini Varadhan.
5) Fix NULL pointer dereference when skb_dst_force clears the dst_entry.
skb_dst_force does not really force a dst refcount anymore, it might
clear it instead. xfrm code did not expect this, add a check to not
dereference skb_dst() if it was cleared by skb_dst_force.
6) Validate xfrm template mode, otherwise we can get a stack-out-of-bounds
read in xfrm_state_find. From Sean Tranchetti.
Please pull or let me know if there are problems.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/ipv4/xfrm4_input.c | 1 | ||||
| -rw-r--r-- | net/ipv4/xfrm4_mode_transport.c | 4 | ||||
| -rw-r--r-- | net/ipv6/xfrm6_input.c | 1 | ||||
| -rw-r--r-- | net/ipv6/xfrm6_mode_transport.c | 4 | ||||
| -rw-r--r-- | net/ipv6/xfrm6_output.c | 2 | ||||
| -rw-r--r-- | net/xfrm/xfrm_input.c | 1 | ||||
| -rw-r--r-- | net/xfrm/xfrm_output.c | 4 | ||||
| -rw-r--r-- | net/xfrm/xfrm_policy.c | 4 | ||||
| -rw-r--r-- | net/xfrm/xfrm_user.c | 15 |
9 files changed, 30 insertions, 6 deletions
diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c index bcfc00e88756..f8de2482a529 100644 --- a/net/ipv4/xfrm4_input.c +++ b/net/ipv4/xfrm4_input.c | |||
| @@ -67,6 +67,7 @@ int xfrm4_transport_finish(struct sk_buff *skb, int async) | |||
| 67 | 67 | ||
| 68 | if (xo && (xo->flags & XFRM_GRO)) { | 68 | if (xo && (xo->flags & XFRM_GRO)) { |
| 69 | skb_mac_header_rebuild(skb); | 69 | skb_mac_header_rebuild(skb); |
| 70 | skb_reset_transport_header(skb); | ||
| 70 | return 0; | 71 | return 0; |
| 71 | } | 72 | } |
| 72 | 73 | ||
diff --git a/net/ipv4/xfrm4_mode_transport.c b/net/ipv4/xfrm4_mode_transport.c index 3d36644890bb..1ad2c2c4e250 100644 --- a/net/ipv4/xfrm4_mode_transport.c +++ b/net/ipv4/xfrm4_mode_transport.c | |||
| @@ -46,7 +46,6 @@ static int xfrm4_transport_output(struct xfrm_state *x, struct sk_buff *skb) | |||
| 46 | static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb) | 46 | static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb) |
| 47 | { | 47 | { |
| 48 | int ihl = skb->data - skb_transport_header(skb); | 48 | int ihl = skb->data - skb_transport_header(skb); |
| 49 | struct xfrm_offload *xo = xfrm_offload(skb); | ||
| 50 | 49 | ||
| 51 | if (skb->transport_header != skb->network_header) { | 50 | if (skb->transport_header != skb->network_header) { |
| 52 | memmove(skb_transport_header(skb), | 51 | memmove(skb_transport_header(skb), |
| @@ -54,8 +53,7 @@ static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb) | |||
| 54 | skb->network_header = skb->transport_header; | 53 | skb->network_header = skb->transport_header; |
| 55 | } | 54 | } |
| 56 | ip_hdr(skb)->tot_len = htons(skb->len + ihl); | 55 | ip_hdr(skb)->tot_len = htons(skb->len + ihl); |
| 57 | if (!xo || !(xo->flags & XFRM_GRO)) | 56 | skb_reset_transport_header(skb); |
| 58 | skb_reset_transport_header(skb); | ||
| 59 | return 0; | 57 | return 0; |
| 60 | } | 58 | } |
| 61 | 59 | ||
diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c index 841f4a07438e..9ef490dddcea 100644 --- a/net/ipv6/xfrm6_input.c +++ b/net/ipv6/xfrm6_input.c | |||
| @@ -59,6 +59,7 @@ int xfrm6_transport_finish(struct sk_buff *skb, int async) | |||
| 59 | 59 | ||
| 60 | if (xo && (xo->flags & XFRM_GRO)) { | 60 | if (xo && (xo->flags & XFRM_GRO)) { |
| 61 | skb_mac_header_rebuild(skb); | 61 | skb_mac_header_rebuild(skb); |
| 62 | skb_reset_transport_header(skb); | ||
| 62 | return -1; | 63 | return -1; |
| 63 | } | 64 | } |
| 64 | 65 | ||
diff --git a/net/ipv6/xfrm6_mode_transport.c b/net/ipv6/xfrm6_mode_transport.c index 9ad07a91708e..3c29da5defe6 100644 --- a/net/ipv6/xfrm6_mode_transport.c +++ b/net/ipv6/xfrm6_mode_transport.c | |||
| @@ -51,7 +51,6 @@ static int xfrm6_transport_output(struct xfrm_state *x, struct sk_buff *skb) | |||
| 51 | static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb) | 51 | static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb) |
| 52 | { | 52 | { |
| 53 | int ihl = skb->data - skb_transport_header(skb); | 53 | int ihl = skb->data - skb_transport_header(skb); |
| 54 | struct xfrm_offload *xo = xfrm_offload(skb); | ||
| 55 | 54 | ||
| 56 | if (skb->transport_header != skb->network_header) { | 55 | if (skb->transport_header != skb->network_header) { |
| 57 | memmove(skb_transport_header(skb), | 56 | memmove(skb_transport_header(skb), |
| @@ -60,8 +59,7 @@ static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb) | |||
| 60 | } | 59 | } |
| 61 | ipv6_hdr(skb)->payload_len = htons(skb->len + ihl - | 60 | ipv6_hdr(skb)->payload_len = htons(skb->len + ihl - |
| 62 | sizeof(struct ipv6hdr)); | 61 | sizeof(struct ipv6hdr)); |
| 63 | if (!xo || !(xo->flags & XFRM_GRO)) | 62 | skb_reset_transport_header(skb); |
| 64 | skb_reset_transport_header(skb); | ||
| 65 | return 0; | 63 | return 0; |
| 66 | } | 64 | } |
| 67 | 65 | ||
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c index 5959ce9620eb..6a74080005cf 100644 --- a/net/ipv6/xfrm6_output.c +++ b/net/ipv6/xfrm6_output.c | |||
| @@ -170,9 +170,11 @@ static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb) | |||
| 170 | 170 | ||
| 171 | if (toobig && xfrm6_local_dontfrag(skb)) { | 171 | if (toobig && xfrm6_local_dontfrag(skb)) { |
| 172 | xfrm6_local_rxpmtu(skb, mtu); | 172 | xfrm6_local_rxpmtu(skb, mtu); |
| 173 | kfree_skb(skb); | ||
| 173 | return -EMSGSIZE; | 174 | return -EMSGSIZE; |
| 174 | } else if (!skb->ignore_df && toobig && skb->sk) { | 175 | } else if (!skb->ignore_df && toobig && skb->sk) { |
| 175 | xfrm_local_error(skb, mtu); | 176 | xfrm_local_error(skb, mtu); |
| 177 | kfree_skb(skb); | ||
| 176 | return -EMSGSIZE; | 178 | return -EMSGSIZE; |
| 177 | } | 179 | } |
| 178 | 180 | ||
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index b89c9c7f8c5c..be3520e429c9 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c | |||
| @@ -458,6 +458,7 @@ resume: | |||
| 458 | XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR); | 458 | XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR); |
| 459 | goto drop; | 459 | goto drop; |
| 460 | } | 460 | } |
| 461 | crypto_done = false; | ||
| 461 | } while (!err); | 462 | } while (!err); |
| 462 | 463 | ||
| 463 | err = xfrm_rcv_cb(skb, family, x->type->proto, 0); | 464 | err = xfrm_rcv_cb(skb, family, x->type->proto, 0); |
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c index 45ba07ab3e4f..261995d37ced 100644 --- a/net/xfrm/xfrm_output.c +++ b/net/xfrm/xfrm_output.c | |||
| @@ -100,6 +100,10 @@ static int xfrm_output_one(struct sk_buff *skb, int err) | |||
| 100 | spin_unlock_bh(&x->lock); | 100 | spin_unlock_bh(&x->lock); |
| 101 | 101 | ||
| 102 | skb_dst_force(skb); | 102 | skb_dst_force(skb); |
| 103 | if (!skb_dst(skb)) { | ||
| 104 | XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR); | ||
| 105 | goto error_nolock; | ||
| 106 | } | ||
| 103 | 107 | ||
| 104 | if (xfrm_offload(skb)) { | 108 | if (xfrm_offload(skb)) { |
| 105 | x->type_offload->encap(x, skb); | 109 | x->type_offload->encap(x, skb); |
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 3110c3fbee20..f094d4b3520d 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c | |||
| @@ -2491,6 +2491,10 @@ int __xfrm_route_forward(struct sk_buff *skb, unsigned short family) | |||
| 2491 | } | 2491 | } |
| 2492 | 2492 | ||
| 2493 | skb_dst_force(skb); | 2493 | skb_dst_force(skb); |
| 2494 | if (!skb_dst(skb)) { | ||
| 2495 | XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR); | ||
| 2496 | return 0; | ||
| 2497 | } | ||
| 2494 | 2498 | ||
| 2495 | dst = xfrm_lookup(net, skb_dst(skb), &fl, NULL, XFRM_LOOKUP_QUEUE); | 2499 | dst = xfrm_lookup(net, skb_dst(skb), &fl, NULL, XFRM_LOOKUP_QUEUE); |
| 2496 | if (IS_ERR(dst)) { | 2500 | if (IS_ERR(dst)) { |
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 4791aa8b8185..df7ca2dabc48 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c | |||
| @@ -151,10 +151,16 @@ static int verify_newsa_info(struct xfrm_usersa_info *p, | |||
| 151 | err = -EINVAL; | 151 | err = -EINVAL; |
| 152 | switch (p->family) { | 152 | switch (p->family) { |
| 153 | case AF_INET: | 153 | case AF_INET: |
| 154 | if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) | ||
| 155 | goto out; | ||
| 156 | |||
| 154 | break; | 157 | break; |
| 155 | 158 | ||
| 156 | case AF_INET6: | 159 | case AF_INET6: |
| 157 | #if IS_ENABLED(CONFIG_IPV6) | 160 | #if IS_ENABLED(CONFIG_IPV6) |
| 161 | if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128) | ||
| 162 | goto out; | ||
| 163 | |||
| 158 | break; | 164 | break; |
| 159 | #else | 165 | #else |
| 160 | err = -EAFNOSUPPORT; | 166 | err = -EAFNOSUPPORT; |
| @@ -1396,10 +1402,16 @@ static int verify_newpolicy_info(struct xfrm_userpolicy_info *p) | |||
| 1396 | 1402 | ||
| 1397 | switch (p->sel.family) { | 1403 | switch (p->sel.family) { |
| 1398 | case AF_INET: | 1404 | case AF_INET: |
| 1405 | if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) | ||
| 1406 | return -EINVAL; | ||
| 1407 | |||
| 1399 | break; | 1408 | break; |
| 1400 | 1409 | ||
| 1401 | case AF_INET6: | 1410 | case AF_INET6: |
| 1402 | #if IS_ENABLED(CONFIG_IPV6) | 1411 | #if IS_ENABLED(CONFIG_IPV6) |
| 1412 | if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128) | ||
| 1413 | return -EINVAL; | ||
| 1414 | |||
| 1403 | break; | 1415 | break; |
| 1404 | #else | 1416 | #else |
| 1405 | return -EAFNOSUPPORT; | 1417 | return -EAFNOSUPPORT; |
| @@ -1480,6 +1492,9 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) | |||
| 1480 | (ut[i].family != prev_family)) | 1492 | (ut[i].family != prev_family)) |
| 1481 | return -EINVAL; | 1493 | return -EINVAL; |
| 1482 | 1494 | ||
| 1495 | if (ut[i].mode >= XFRM_MODE_MAX) | ||
| 1496 | return -EINVAL; | ||
| 1497 | |||
| 1483 | prev_family = ut[i].family; | 1498 | prev_family = ut[i].family; |
| 1484 | 1499 | ||
| 1485 | switch (ut[i].family) { | 1500 | switch (ut[i].family) { |