xfrm: check trunc_len in XFRMA_ALG_AUTH_TRUNC

Maximum trunc length is defined by MAX_AH_AUTH_LEN (in bytes) and need to be checked when this value is set (in bits) by the user. In ah4.c and ah6.c a BUG_ON() checks this condiftion. Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Nicolas Dichtel <nicolas.dichtel@6wind.com> 2011-01-11 03:04:12 -0500
committer: David S. Miller <davem@davemloft.net> 2011-01-11 17:03:09 -0500
commit: fa6dd8a2c89861d05621ce7e2880e485bec22fba (patch)
tree: 8636aee24a084dc6b530cc8c0e06c283429d037e /net/xfrm
parent: f76957fc8fc4fa9735f01e59653b2792b077de06 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 6a8da81ff66f..d5e1e0b08890 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -26,6 +26,7 @@
 #include <net/sock.h>
 #include <net/xfrm.h>
 #include <net/netlink.h>
+#include <net/ah.h>
 #include <asm/uaccess.h>
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 #include <linux/in6.h>
@@ -302,7 +303,8 @@ static int attach_auth_trunc(struct xfrm_algo_auth **algpp, u8 *props,
        algo = xfrm_aalg_get_byname(ualg->alg_name, 1);
        if (!algo)
                return -ENOSYS;
-        if (ualg->alg_trunc_len > algo->uinfo.auth.icv_fullbits)
+        if ((ualg->alg_trunc_len / 8) > MAX_AH_AUTH_LEN ||
+            ualg->alg_trunc_len > algo->uinfo.auth.icv_fullbits)
                return -EINVAL;
        *props = algo->desc.sadb_alg_id;
author	Nicolas Dichtel <nicolas.dichtel@6wind.com>	2011-01-11 03:04:12 -0500
committer	David S. Miller <davem@davemloft.net>	2011-01-11 17:03:09 -0500
commit	fa6dd8a2c89861d05621ce7e2880e485bec22fba (patch)
tree	8636aee24a084dc6b530cc8c0e06c283429d037e /net/xfrm
parent	f76957fc8fc4fa9735f01e59653b2792b077de06 (diff)