aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Dumazet <dada1@cosmosbay.com>2008-01-09 02:39:06 -0500
committerDavid S. Miller <davem@davemloft.net>2008-01-09 02:39:06 -0500
commit0f99be0d115a5716292c58dfdb20d2eddd0f3387 (patch)
treea4c8fc6262add152fa7207e40a5f02b18c9bedde
parent2e3884b5b16795c03a7bf295797c1b2402885b88 (diff)
[XFRM]: xfrm_algo_clone() allocates too much memory
alg_key_len is the length in bits of the key, not in bytes. Best way to fix this is to move alg_len() function from net/xfrm/xfrm_user.c to include/net/xfrm.h, and to use it in xfrm_algo_clone() alg_len() is renamed to xfrm_alg_len() because of its global exposition. Signed-off-by: Eric Dumazet <dada1@cosmosbay.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--include/net/xfrm.h7
-rw-r--r--net/xfrm/xfrm_user.c17
2 files changed, 12 insertions, 12 deletions
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 58dfa82889a..1dd20cf1798 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -1188,10 +1188,15 @@ static inline int xfrm_aevent_is_on(void)
1188 return ret; 1188 return ret;
1189} 1189}
1190 1190
1191static inline int xfrm_alg_len(struct xfrm_algo *alg)
1192{
1193 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1194}
1195
1191#ifdef CONFIG_XFRM_MIGRATE 1196#ifdef CONFIG_XFRM_MIGRATE
1192static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig) 1197static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
1193{ 1198{
1194 return (struct xfrm_algo *)kmemdup(orig, sizeof(*orig) + orig->alg_key_len, GFP_KERNEL); 1199 return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL);
1195} 1200}
1196 1201
1197static inline void xfrm_states_put(struct xfrm_state **states, int n) 1202static inline void xfrm_states_put(struct xfrm_state **states, int n)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index e75dbdcb08a..c4f6419b176 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -31,11 +31,6 @@
31#include <linux/in6.h> 31#include <linux/in6.h>
32#endif 32#endif
33 33
34static inline int alg_len(struct xfrm_algo *alg)
35{
36 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
37}
38
39static int verify_one_alg(struct nlattr **attrs, enum xfrm_attr_type_t type) 34static int verify_one_alg(struct nlattr **attrs, enum xfrm_attr_type_t type)
40{ 35{
41 struct nlattr *rt = attrs[type]; 36 struct nlattr *rt = attrs[type];
@@ -45,7 +40,7 @@ static int verify_one_alg(struct nlattr **attrs, enum xfrm_attr_type_t type)
45 return 0; 40 return 0;
46 41
47 algp = nla_data(rt); 42 algp = nla_data(rt);
48 if (nla_len(rt) < alg_len(algp)) 43 if (nla_len(rt) < xfrm_alg_len(algp))
49 return -EINVAL; 44 return -EINVAL;
50 45
51 switch (type) { 46 switch (type) {
@@ -204,7 +199,7 @@ static int attach_one_algo(struct xfrm_algo **algpp, u8 *props,
204 return -ENOSYS; 199 return -ENOSYS;
205 *props = algo->desc.sadb_alg_id; 200 *props = algo->desc.sadb_alg_id;
206 201
207 p = kmemdup(ualg, alg_len(ualg), GFP_KERNEL); 202 p = kmemdup(ualg, xfrm_alg_len(ualg), GFP_KERNEL);
208 if (!p) 203 if (!p)
209 return -ENOMEM; 204 return -ENOMEM;
210 205
@@ -516,9 +511,9 @@ static int copy_to_user_state_extra(struct xfrm_state *x,
516 NLA_PUT_U64(skb, XFRMA_LASTUSED, x->lastused); 511 NLA_PUT_U64(skb, XFRMA_LASTUSED, x->lastused);
517 512
518 if (x->aalg) 513 if (x->aalg)
519 NLA_PUT(skb, XFRMA_ALG_AUTH, alg_len(x->aalg), x->aalg); 514 NLA_PUT(skb, XFRMA_ALG_AUTH, xfrm_alg_len(x->aalg), x->aalg);
520 if (x->ealg) 515 if (x->ealg)
521 NLA_PUT(skb, XFRMA_ALG_CRYPT, alg_len(x->ealg), x->ealg); 516 NLA_PUT(skb, XFRMA_ALG_CRYPT, xfrm_alg_len(x->ealg), x->ealg);
522 if (x->calg) 517 if (x->calg)
523 NLA_PUT(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg); 518 NLA_PUT(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg);
524 519
@@ -1978,9 +1973,9 @@ static inline size_t xfrm_sa_len(struct xfrm_state *x)
1978{ 1973{
1979 size_t l = 0; 1974 size_t l = 0;
1980 if (x->aalg) 1975 if (x->aalg)
1981 l += nla_total_size(alg_len(x->aalg)); 1976 l += nla_total_size(xfrm_alg_len(x->aalg));
1982 if (x->ealg) 1977 if (x->ealg)
1983 l += nla_total_size(alg_len(x->ealg)); 1978 l += nla_total_size(xfrm_alg_len(x->ealg));
1984 if (x->calg) 1979 if (x->calg)
1985 l += nla_total_size(sizeof(*x->calg)); 1980 l += nla_total_size(sizeof(*x->calg));
1986 if (x->encap) 1981 if (x->encap)