aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSteffen Klassert <steffen.klassert@secunet.com>2011-03-28 15:47:30 -0400
committerDavid S. Miller <davem@davemloft.net>2011-03-29 02:34:52 -0400
commite2b19125e94124daaeda1ddcf9b85b04575ad86f (patch)
treeee670f037ea5b3826731ea5169f1afe94b925f16
parentaf2f464e326ebad57284cfdecb03f1606e89bbc7 (diff)
xfrm: Check for esn buffer len in xfrm_new_ae
In xfrm_new_ae() we may overwrite the allocated esn replay state buffer with a wrong size. So check that the new size matches the original allocated size and return an error if this is not the case. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/xfrm/xfrm_user.c21
1 files changed, 21 insertions, 0 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index fc152d28753c..ccc4c0c8ef00 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -360,6 +360,23 @@ static int attach_aead(struct xfrm_algo_aead **algpp, u8 *props,
360 return 0; 360 return 0;
361} 361}
362 362
363static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_esn,
364 struct nlattr *rp)
365{
366 struct xfrm_replay_state_esn *up;
367
368 if (!replay_esn || !rp)
369 return 0;
370
371 up = nla_data(rp);
372
373 if (xfrm_replay_state_esn_len(replay_esn) !=
374 xfrm_replay_state_esn_len(up))
375 return -EINVAL;
376
377 return 0;
378}
379
363static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn, 380static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn,
364 struct xfrm_replay_state_esn **preplay_esn, 381 struct xfrm_replay_state_esn **preplay_esn,
365 struct nlattr *rta) 382 struct nlattr *rta)
@@ -1766,6 +1783,10 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
1766 if (x->km.state != XFRM_STATE_VALID) 1783 if (x->km.state != XFRM_STATE_VALID)
1767 goto out; 1784 goto out;
1768 1785
1786 err = xfrm_replay_verify_len(x->replay_esn, rp);
1787 if (err)
1788 goto out;
1789
1769 spin_lock_bh(&x->lock); 1790 spin_lock_bh(&x->lock);
1770 xfrm_update_ae_params(x, attrs); 1791 xfrm_update_ae_params(x, attrs);
1771 spin_unlock_bh(&x->lock); 1792 spin_unlock_bh(&x->lock);