aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHerbert Xu <herbert@gondor.apana.org.au>2005-05-19 15:39:49 -0400
committerDavid S. Miller <davem@davemloft.net>2005-05-19 15:39:49 -0400
commit31c26852cb2ac77f1d4acb37bcf31f165fd5eb68 (patch)
treece2e98c79f4d9051baff55c5f5fdb90defb9e18e
parentb9e9dead05b19e7f52c9aa00cd3a5b7ac4fcacf4 (diff)
[IPSEC]: Verify key payload in verify_one_algo
We need to verify that the payload contains enough data so that attach_one_algo can copy alg_key_len bits from the payload. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/xfrm/xfrm_user.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 15ba08602aa1..97509011c274 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -34,14 +34,21 @@ static int verify_one_alg(struct rtattr **xfrma, enum xfrm_attr_type_t type)
34{ 34{
35 struct rtattr *rt = xfrma[type - 1]; 35 struct rtattr *rt = xfrma[type - 1];
36 struct xfrm_algo *algp; 36 struct xfrm_algo *algp;
37 int len;
37 38
38 if (!rt) 39 if (!rt)
39 return 0; 40 return 0;
40 41
41 if ((rt->rta_len - sizeof(*rt)) < sizeof(*algp)) 42 len = (rt->rta_len - sizeof(*rt)) - sizeof(*algp);
43 if (len < 0)
42 return -EINVAL; 44 return -EINVAL;
43 45
44 algp = RTA_DATA(rt); 46 algp = RTA_DATA(rt);
47
48 len -= (algp->alg_key_len + 7U) / 8;
49 if (len < 0)
50 return -EINVAL;
51
45 switch (type) { 52 switch (type) {
46 case XFRMA_ALG_AUTH: 53 case XFRMA_ALG_AUTH:
47 if (!algp->alg_key_len && 54 if (!algp->alg_key_len &&