1 files changed, 24 insertions, 0 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index fc152d28753c..3d15d3e1b2c4 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -127,6 +127,9 @@ static inline int verify_replay(struct xfrm_usersa_info *p,
        if (!rt)
                return 0;
+        if (p->id.proto != IPPROTO_ESP)
+                return -EINVAL;
        if (p->replay_window != 0)
                return -EINVAL;
@@ -360,6 +363,23 @@ static int attach_aead(struct xfrm_algo_aead **algpp, u8 *props,
        return 0;
 }
+static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_esn,
+                                         struct nlattr *rp)
+{
+        struct xfrm_replay_state_esn *up;
+        if (!replay_esn || !rp)
+                return 0;
+        up = nla_data(rp);
+        if (xfrm_replay_state_esn_len(replay_esn) !=
+                        xfrm_replay_state_esn_len(up))
+                return -EINVAL;
+        return 0;
+}
 static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn,
                                       struct xfrm_replay_state_esn **preplay_esn,
                                       struct nlattr *rta)
@@ -1766,6 +1786,10 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
        if (x->km.state != XFRM_STATE_VALID)
                goto out;
+        err = xfrm_replay_verify_len(x->replay_esn, rp);
+        if (err)
+                goto out;
        spin_lock_bh(&x->lock);
        xfrm_update_ae_params(x, attrs);
        spin_unlock_bh(&x->lock);

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index fc152d28753c..3d15d3e1b2c4 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c
@@ -127,6 +127,9 @@ static inline int verify_replay(struct xfrm_usersa_info *p,
127	if (!rt)	127	if (!rt)
128	return 0;	128	return 0;
129		129
		130	if (p->id.proto != IPPROTO_ESP)
		131	return -EINVAL;
		132
130	if (p->replay_window != 0)	133	if (p->replay_window != 0)
131	return -EINVAL;	134	return -EINVAL;
132		135
@@ -360,6 +363,23 @@ static int attach_aead(struct xfrm_algo_aead *algpp, u8 props,
360	return 0;	363	return 0;
361	}	364	}
362		365
		366	static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_esn,
		367	struct nlattr *rp)
		368	{
		369	struct xfrm_replay_state_esn *up;
		370
		371	if (!replay_esn \|\| !rp)
		372	return 0;
		373
		374	up = nla_data(rp);
		375
		376	if (xfrm_replay_state_esn_len(replay_esn) !=
		377	xfrm_replay_state_esn_len(up))
		378	return -EINVAL;
		379
		380	return 0;
		381	}
		382
363	static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn,	383	static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn,
364	struct xfrm_replay_state_esn **preplay_esn,	384	struct xfrm_replay_state_esn **preplay_esn,
365	struct nlattr *rta)	385	struct nlattr *rta)
@@ -1766,6 +1786,10 @@ static int xfrm_new_ae(struct sk_buff skb, struct nlmsghdr nlh,
1766	if (x->km.state != XFRM_STATE_VALID)	1786	if (x->km.state != XFRM_STATE_VALID)
1767	goto out;	1787	goto out;
1768		1788
		1789	err = xfrm_replay_verify_len(x->replay_esn, rp);
		1790	if (err)
		1791	goto out;
		1792
1769	spin_lock_bh(&x->lock);	1793	spin_lock_bh(&x->lock);
1770	xfrm_update_ae_params(x, attrs);	1794	xfrm_update_ae_params(x, attrs);
1771	spin_unlock_bh(&x->lock);	1795	spin_unlock_bh(&x->lock);