diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2005-05-19 15:39:04 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2005-05-19 15:39:04 -0400 |
commit | b9e9dead05b19e7f52c9aa00cd3a5b7ac4fcacf4 (patch) | |
tree | 89852e61eaea7cd88c652e91b594fd8f4c312a9d | |
parent | 8be58932ca596972e4953ae980d8bc286857cae8 (diff) |
[IPSEC]: Fixed alg_key_len usage in attach_one_algo
The variable alg_key_len is in bits and not bytes. The function
attach_one_algo is currently using it as if it were in bytes.
This causes it to read memory which may not be there.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/xfrm/xfrm_user.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 5ddda2c98af9..15ba08602aa1 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c | |||
@@ -162,6 +162,7 @@ static int attach_one_algo(struct xfrm_algo **algpp, u8 *props, | |||
162 | struct rtattr *rta = u_arg; | 162 | struct rtattr *rta = u_arg; |
163 | struct xfrm_algo *p, *ualg; | 163 | struct xfrm_algo *p, *ualg; |
164 | struct xfrm_algo_desc *algo; | 164 | struct xfrm_algo_desc *algo; |
165 | int len; | ||
165 | 166 | ||
166 | if (!rta) | 167 | if (!rta) |
167 | return 0; | 168 | return 0; |
@@ -173,11 +174,12 @@ static int attach_one_algo(struct xfrm_algo **algpp, u8 *props, | |||
173 | return -ENOSYS; | 174 | return -ENOSYS; |
174 | *props = algo->desc.sadb_alg_id; | 175 | *props = algo->desc.sadb_alg_id; |
175 | 176 | ||
176 | p = kmalloc(sizeof(*ualg) + ualg->alg_key_len, GFP_KERNEL); | 177 | len = sizeof(*ualg) + (ualg->alg_key_len + 7U) / 8; |
178 | p = kmalloc(len, GFP_KERNEL); | ||
177 | if (!p) | 179 | if (!p) |
178 | return -ENOMEM; | 180 | return -ENOMEM; |
179 | 181 | ||
180 | memcpy(p, ualg, sizeof(*ualg) + ualg->alg_key_len); | 182 | memcpy(p, ualg, len); |
181 | *algpp = p; | 183 | *algpp = p; |
182 | return 0; | 184 | return 0; |
183 | } | 185 | } |