diff options
author | Joy Latten <latten@austin.ibm.com> | 2007-04-13 19:14:35 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2007-04-13 19:14:35 -0400 |
commit | 661697f728d75302e1f661a58db2fcba71d5cbc9 (patch) | |
tree | 07513117f8bfc5ca1844c768a6edb410c1a0c5bf /net | |
parent | 279e172a580d415b83eba4f9fbbc77b08e546553 (diff) |
[IPSEC] XFRM_USER: kernel panic when large security contexts in ACQUIRE
When sending a security context of 50+ characters in an ACQUIRE
message, following kernel panic occurred.
kernel BUG in xfrm_send_acquire at net/xfrm/xfrm_user.c:1781!
cpu 0x3: Vector: 700 (Program Check) at [c0000000421bb2e0]
pc: c00000000033b074: .xfrm_send_acquire+0x240/0x2c8
lr: c00000000033b014: .xfrm_send_acquire+0x1e0/0x2c8
sp: c0000000421bb560
msr: 8000000000029032
current = 0xc00000000fce8f00
paca = 0xc000000000464b00
pid = 2303, comm = ping
kernel BUG in xfrm_send_acquire at net/xfrm/xfrm_user.c:1781!
enter ? for help
3:mon> t
[c0000000421bb650] c00000000033538c .km_query+0x6c/0xec
[c0000000421bb6f0] c000000000337374 .xfrm_state_find+0x7f4/0xb88
[c0000000421bb7f0] c000000000332350 .xfrm_tmpl_resolve+0xc4/0x21c
[c0000000421bb8d0] c0000000003326e8 .xfrm_lookup+0x1a0/0x5b0
[c0000000421bba00] c0000000002e6ea0 .ip_route_output_flow+0x88/0xb4
[c0000000421bbaa0] c0000000003106d8 .ip4_datagram_connect+0x218/0x374
[c0000000421bbbd0] c00000000031bc00 .inet_dgram_connect+0xac/0xd4
[c0000000421bbc60] c0000000002b11ac .sys_connect+0xd8/0x120
[c0000000421bbd90] c0000000002d38d0 .compat_sys_socketcall+0xdc/0x214
[c0000000421bbe30] c00000000000869c syscall_exit+0x0/0x40
--- Exception: c00 (System Call) at 0000000007f0ca9c
SP (fc0ef8f0) is in userspace
We are using size of security context from xfrm_policy to determine
how much space to alloc skb and then putting security context from
xfrm_state into skb. Should have been using size of security context
from xfrm_state to alloc skb. Following fix does that
Signed-off-by: Joy Latten <latten@austin.ibm.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/xfrm/xfrm_user.c | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index e81e2fb3d429..816e3690b60f 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c | |||
@@ -272,9 +272,8 @@ static int attach_encap_tmpl(struct xfrm_encap_tmpl **encapp, struct rtattr *u_a | |||
272 | } | 272 | } |
273 | 273 | ||
274 | 274 | ||
275 | static inline int xfrm_user_sec_ctx_size(struct xfrm_policy *xp) | 275 | static inline int xfrm_user_sec_ctx_size(struct xfrm_sec_ctx *xfrm_ctx) |
276 | { | 276 | { |
277 | struct xfrm_sec_ctx *xfrm_ctx = xp->security; | ||
278 | int len = 0; | 277 | int len = 0; |
279 | 278 | ||
280 | if (xfrm_ctx) { | 279 | if (xfrm_ctx) { |
@@ -2170,7 +2169,7 @@ static int xfrm_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *xt, | |||
2170 | 2169 | ||
2171 | len = RTA_SPACE(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr); | 2170 | len = RTA_SPACE(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr); |
2172 | len += NLMSG_SPACE(sizeof(struct xfrm_user_acquire)); | 2171 | len += NLMSG_SPACE(sizeof(struct xfrm_user_acquire)); |
2173 | len += RTA_SPACE(xfrm_user_sec_ctx_size(xp)); | 2172 | len += RTA_SPACE(xfrm_user_sec_ctx_size(x->security)); |
2174 | #ifdef CONFIG_XFRM_SUB_POLICY | 2173 | #ifdef CONFIG_XFRM_SUB_POLICY |
2175 | len += RTA_SPACE(sizeof(struct xfrm_userpolicy_type)); | 2174 | len += RTA_SPACE(sizeof(struct xfrm_userpolicy_type)); |
2176 | #endif | 2175 | #endif |
@@ -2280,7 +2279,7 @@ static int xfrm_exp_policy_notify(struct xfrm_policy *xp, int dir, struct km_eve | |||
2280 | 2279 | ||
2281 | len = RTA_SPACE(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr); | 2280 | len = RTA_SPACE(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr); |
2282 | len += NLMSG_SPACE(sizeof(struct xfrm_user_polexpire)); | 2281 | len += NLMSG_SPACE(sizeof(struct xfrm_user_polexpire)); |
2283 | len += RTA_SPACE(xfrm_user_sec_ctx_size(xp)); | 2282 | len += RTA_SPACE(xfrm_user_sec_ctx_size(xp->security)); |
2284 | #ifdef CONFIG_XFRM_SUB_POLICY | 2283 | #ifdef CONFIG_XFRM_SUB_POLICY |
2285 | len += RTA_SPACE(sizeof(struct xfrm_userpolicy_type)); | 2284 | len += RTA_SPACE(sizeof(struct xfrm_userpolicy_type)); |
2286 | #endif | 2285 | #endif |