diff options
author | Steffen Klassert <steffen.klassert@secunet.com> | 2011-03-28 15:47:30 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2011-03-29 02:34:52 -0400 |
commit | e2b19125e94124daaeda1ddcf9b85b04575ad86f (patch) | |
tree | ee670f037ea5b3826731ea5169f1afe94b925f16 | |
parent | af2f464e326ebad57284cfdecb03f1606e89bbc7 (diff) |
xfrm: Check for esn buffer len in xfrm_new_ae
In xfrm_new_ae() we may overwrite the allocated esn replay state
buffer with a wrong size. So check that the new size matches the
original allocated size and return an error if this is not the case.
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/xfrm/xfrm_user.c | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index fc152d28753c..ccc4c0c8ef00 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c | |||
@@ -360,6 +360,23 @@ static int attach_aead(struct xfrm_algo_aead **algpp, u8 *props, | |||
360 | return 0; | 360 | return 0; |
361 | } | 361 | } |
362 | 362 | ||
363 | static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_esn, | ||
364 | struct nlattr *rp) | ||
365 | { | ||
366 | struct xfrm_replay_state_esn *up; | ||
367 | |||
368 | if (!replay_esn || !rp) | ||
369 | return 0; | ||
370 | |||
371 | up = nla_data(rp); | ||
372 | |||
373 | if (xfrm_replay_state_esn_len(replay_esn) != | ||
374 | xfrm_replay_state_esn_len(up)) | ||
375 | return -EINVAL; | ||
376 | |||
377 | return 0; | ||
378 | } | ||
379 | |||
363 | static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn, | 380 | static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn, |
364 | struct xfrm_replay_state_esn **preplay_esn, | 381 | struct xfrm_replay_state_esn **preplay_esn, |
365 | struct nlattr *rta) | 382 | struct nlattr *rta) |
@@ -1766,6 +1783,10 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
1766 | if (x->km.state != XFRM_STATE_VALID) | 1783 | if (x->km.state != XFRM_STATE_VALID) |
1767 | goto out; | 1784 | goto out; |
1768 | 1785 | ||
1786 | err = xfrm_replay_verify_len(x->replay_esn, rp); | ||
1787 | if (err) | ||
1788 | goto out; | ||
1789 | |||
1769 | spin_lock_bh(&x->lock); | 1790 | spin_lock_bh(&x->lock); |
1770 | xfrm_update_ae_params(x, attrs); | 1791 | xfrm_update_ae_params(x, attrs); |
1771 | spin_unlock_bh(&x->lock); | 1792 | spin_unlock_bh(&x->lock); |