[IPSEC]: Verify key payload in verify_one_algo

We need to verify that the payload contains enough data so that attach_one_algo can copy alg_key_len bits from the payload. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Herbert Xu <herbert@gondor.apana.org.au> 2005-05-19 15:39:49 -0400
committer: David S. Miller <davem@davemloft.net> 2005-05-19 15:39:49 -0400
commit: 31c26852cb2ac77f1d4acb37bcf31f165fd5eb68 (patch)
tree: ce2e98c79f4d9051baff55c5f5fdb90defb9e18e /net/xfrm/xfrm_user.c
parent: b9e9dead05b19e7f52c9aa00cd3a5b7ac4fcacf4 (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 15ba08602aa1..97509011c274 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -34,14 +34,21 @@ static int verify_one_alg(struct rtattr **xfrma, enum xfrm_attr_type_t type)
 {
        struct rtattr *rt = xfrma[type - 1];
        struct xfrm_algo *algp;
+        int len;
        if (!rt)
                return 0;
-        if ((rt->rta_len - sizeof(*rt)) < sizeof(*algp))
+        len = (rt->rta_len - sizeof(*rt)) - sizeof(*algp);
+        if (len < 0)
                return -EINVAL;
        algp = RTA_DATA(rt);
+        len -= (algp->alg_key_len + 7U) / 8; 
+        if (len < 0)
+                return -EINVAL;
        switch (type) {
        case XFRMA_ALG_AUTH:
                if (!algp->alg_key_len &&
author	Herbert Xu <herbert@gondor.apana.org.au>	2005-05-19 15:39:49 -0400
committer	David S. Miller <davem@davemloft.net>	2005-05-19 15:39:49 -0400
commit	31c26852cb2ac77f1d4acb37bcf31f165fd5eb68 (patch)
tree	ce2e98c79f4d9051baff55c5f5fdb90defb9e18e /net/xfrm/xfrm_user.c
parent	b9e9dead05b19e7f52c9aa00cd3a5b7ac4fcacf4 (diff)