1 files changed, 62 insertions, 43 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 7128dde0fe1a..44293b3fd6a1 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -756,40 +756,50 @@ static int copy_to_user_state_extra(struct xfrm_state *x,
 {
        copy_to_user_state(x, p);
-        if (x->coaddr)
+        if (x->coaddr &&
-                NLA_PUT(skb, XFRMA_COADDR, sizeof(*x->coaddr), x->coaddr);
+            nla_put(skb, XFRMA_COADDR, sizeof(*x->coaddr), x->coaddr))
+                goto nla_put_failure;
-        if (x->lastused)
+        if (x->lastused &&
-                NLA_PUT_U64(skb, XFRMA_LASTUSED, x->lastused);
+            nla_put_u64(skb, XFRMA_LASTUSED, x->lastused))
+                goto nla_put_failure;
-        if (x->aead)
+        if (x->aead &&
-                NLA_PUT(skb, XFRMA_ALG_AEAD, aead_len(x->aead), x->aead);
+            nla_put(skb, XFRMA_ALG_AEAD, aead_len(x->aead), x->aead))
-        if (x->aalg) {
+                goto nla_put_failure;
-                if (copy_to_user_auth(x->aalg, skb))
-                        goto nla_put_failure;
-                NLA_PUT(skb, XFRMA_ALG_AUTH_TRUNC,
+        if (x->aalg &&
-                        xfrm_alg_auth_len(x->aalg), x->aalg);
+            (copy_to_user_auth(x->aalg, skb) ||
-        }
+             nla_put(skb, XFRMA_ALG_AUTH_TRUNC,
-        if (x->ealg)
+                     xfrm_alg_auth_len(x->aalg), x->aalg)))
-                NLA_PUT(skb, XFRMA_ALG_CRYPT, xfrm_alg_len(x->ealg), x->ealg);
+                goto nla_put_failure;
-        if (x->calg)
-                NLA_PUT(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg);
-        if (x->encap)
+        if (x->ealg &&
-                NLA_PUT(skb, XFRMA_ENCAP, sizeof(*x->encap), x->encap);
+            nla_put(skb, XFRMA_ALG_CRYPT, xfrm_alg_len(x->ealg), x->ealg))
+                goto nla_put_failure;
-        if (x->tfcpad)
+        if (x->calg &&
-                NLA_PUT_U32(skb, XFRMA_TFCPAD, x->tfcpad);
+            nla_put(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg))
+                goto nla_put_failure;
+        if (x->encap &&
+            nla_put(skb, XFRMA_ENCAP, sizeof(*x->encap), x->encap))
+                goto nla_put_failure;
+        if (x->tfcpad &&
+            nla_put_u32(skb, XFRMA_TFCPAD, x->tfcpad))
+                goto nla_put_failure;
        if (xfrm_mark_put(skb, &x->mark))
                goto nla_put_failure;
-        if (x->replay_esn)
+        if (x->replay_esn &&
-                NLA_PUT(skb, XFRMA_REPLAY_ESN_VAL,
+            nla_put(skb, XFRMA_REPLAY_ESN_VAL,
-                        xfrm_replay_state_esn_len(x->replay_esn), x->replay_esn);
+                    xfrm_replay_state_esn_len(x->replay_esn),
+                    x->replay_esn))
+                goto nla_put_failure;
-        if (x->security && copy_sec_ctx(x->security, skb) < 0)
+        if (x->security && copy_sec_ctx(x->security, skb))
                goto nla_put_failure;
        return 0;
@@ -912,8 +922,9 @@ static int build_spdinfo(struct sk_buff *skb, struct net *net,
        sph.spdhcnt = si.spdhcnt;
        sph.spdhmcnt = si.spdhmcnt;
-        NLA_PUT(skb, XFRMA_SPD_INFO, sizeof(spc), &spc);
+        if (nla_put(skb, XFRMA_SPD_INFO, sizeof(spc), &spc) ||
-        NLA_PUT(skb, XFRMA_SPD_HINFO, sizeof(sph), &sph);
+            nla_put(skb, XFRMA_SPD_HINFO, sizeof(sph), &sph))
+                goto nla_put_failure;
        return nlmsg_end(skb, nlh);
@@ -967,8 +978,9 @@ static int build_sadinfo(struct sk_buff *skb, struct net *net,
        sh.sadhmcnt = si.sadhmcnt;
        sh.sadhcnt = si.sadhcnt;
-        NLA_PUT_U32(skb, XFRMA_SAD_CNT, si.sadcnt);
+        if (nla_put_u32(skb, XFRMA_SAD_CNT, si.sadcnt) ||
-        NLA_PUT(skb, XFRMA_SAD_HINFO, sizeof(sh), &sh);
+            nla_put(skb, XFRMA_SAD_HINFO, sizeof(sh), &sh))
+                goto nla_put_failure;
        return nlmsg_end(skb, nlh);
@@ -1690,21 +1702,27 @@ static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, const struct
        id->reqid = x->props.reqid;
        id->flags = c->data.aevent;
-        if (x->replay_esn)
+        if (x->replay_esn) {
-                NLA_PUT(skb, XFRMA_REPLAY_ESN_VAL,
+                if (nla_put(skb, XFRMA_REPLAY_ESN_VAL,
-                        xfrm_replay_state_esn_len(x->replay_esn),
+                            xfrm_replay_state_esn_len(x->replay_esn),
-                        x->replay_esn);
+                            x->replay_esn))
-        else
+                        goto nla_put_failure;
-                NLA_PUT(skb, XFRMA_REPLAY_VAL, sizeof(x->replay), &x->replay);
+        } else {
+                if (nla_put(skb, XFRMA_REPLAY_VAL, sizeof(x->replay),
-        NLA_PUT(skb, XFRMA_LTIME_VAL, sizeof(x->curlft), &x->curlft);
+                            &x->replay))
+                        goto nla_put_failure;
+        }
+        if (nla_put(skb, XFRMA_LTIME_VAL, sizeof(x->curlft), &x->curlft))
+                goto nla_put_failure;
-        if (id->flags & XFRM_AE_RTHR)
+        if ((id->flags & XFRM_AE_RTHR) &&
-                NLA_PUT_U32(skb, XFRMA_REPLAY_THRESH, x->replay_maxdiff);
+            nla_put_u32(skb, XFRMA_REPLAY_THRESH, x->replay_maxdiff))
+                goto nla_put_failure;
-        if (id->flags & XFRM_AE_ETHR)
+        if ((id->flags & XFRM_AE_ETHR) &&
-                NLA_PUT_U32(skb, XFRMA_ETIMER_THRESH,
+            nla_put_u32(skb, XFRMA_ETIMER_THRESH,
-                            x->replay_maxage * 10 / HZ);
+                        x->replay_maxage * 10 / HZ))
+                goto nla_put_failure;
        if (xfrm_mark_put(skb, &x->mark))
                goto nla_put_failure;
@@ -2835,8 +2853,9 @@ static int build_report(struct sk_buff *skb, u8 proto,
        ur->proto = proto;
        memcpy(&ur->sel, sel, sizeof(ur->sel));
-        if (addr)
+        if (addr &&
-                NLA_PUT(skb, XFRMA_COADDR, sizeof(*addr), addr);
+            nla_put(skb, XFRMA_COADDR, sizeof(*addr), addr))
+                goto nla_put_failure;
        return nlmsg_end(skb, nlh);

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 7128dde0fe1a..44293b3fd6a1 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c
@@ -756,40 +756,50 @@ static int copy_to_user_state_extra(struct xfrm_state *x,
756	{	756	{
757	copy_to_user_state(x, p);	757	copy_to_user_state(x, p);
758		758
759	if (x->coaddr)	759	if (x->coaddr &&
760	NLA_PUT(skb, XFRMA_COADDR, sizeof(*x->coaddr), x->coaddr);	760	nla_put(skb, XFRMA_COADDR, sizeof(*x->coaddr), x->coaddr))
		761	goto nla_put_failure;
761		762
762	if (x->lastused)	763	if (x->lastused &&
763	NLA_PUT_U64(skb, XFRMA_LASTUSED, x->lastused);	764	nla_put_u64(skb, XFRMA_LASTUSED, x->lastused))
		765	goto nla_put_failure;
764		766
765	if (x->aead)	767	if (x->aead &&
766	NLA_PUT(skb, XFRMA_ALG_AEAD, aead_len(x->aead), x->aead);	768	nla_put(skb, XFRMA_ALG_AEAD, aead_len(x->aead), x->aead))
767	if (x->aalg) {	769	goto nla_put_failure;
768	if (copy_to_user_auth(x->aalg, skb))
769	goto nla_put_failure;
770		770
771	NLA_PUT(skb, XFRMA_ALG_AUTH_TRUNC,	771	if (x->aalg &&
772	xfrm_alg_auth_len(x->aalg), x->aalg);	772	(copy_to_user_auth(x->aalg, skb) \|\|
773	}	773	nla_put(skb, XFRMA_ALG_AUTH_TRUNC,
774	if (x->ealg)	774	xfrm_alg_auth_len(x->aalg), x->aalg)))
775	NLA_PUT(skb, XFRMA_ALG_CRYPT, xfrm_alg_len(x->ealg), x->ealg);	775	goto nla_put_failure;
776	if (x->calg)
777	NLA_PUT(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg);
778		776
779	if (x->encap)	777	if (x->ealg &&
780	NLA_PUT(skb, XFRMA_ENCAP, sizeof(*x->encap), x->encap);	778	nla_put(skb, XFRMA_ALG_CRYPT, xfrm_alg_len(x->ealg), x->ealg))
		779	goto nla_put_failure;
781		780
782	if (x->tfcpad)	781	if (x->calg &&
783	NLA_PUT_U32(skb, XFRMA_TFCPAD, x->tfcpad);	782	nla_put(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg))
		783	goto nla_put_failure;
		784
		785	if (x->encap &&
		786	nla_put(skb, XFRMA_ENCAP, sizeof(*x->encap), x->encap))
		787	goto nla_put_failure;
		788
		789	if (x->tfcpad &&
		790	nla_put_u32(skb, XFRMA_TFCPAD, x->tfcpad))
		791	goto nla_put_failure;
784		792
785	if (xfrm_mark_put(skb, &x->mark))	793	if (xfrm_mark_put(skb, &x->mark))
786	goto nla_put_failure;	794	goto nla_put_failure;
787		795
788	if (x->replay_esn)	796	if (x->replay_esn &&
789	NLA_PUT(skb, XFRMA_REPLAY_ESN_VAL,	797	nla_put(skb, XFRMA_REPLAY_ESN_VAL,
790	xfrm_replay_state_esn_len(x->replay_esn), x->replay_esn);	798	xfrm_replay_state_esn_len(x->replay_esn),
		799	x->replay_esn))
		800	goto nla_put_failure;
791		801
792	if (x->security && copy_sec_ctx(x->security, skb) < 0)	802	if (x->security && copy_sec_ctx(x->security, skb))
793	goto nla_put_failure;	803	goto nla_put_failure;
794		804
795	return 0;	805	return 0;
@@ -912,8 +922,9 @@ static int build_spdinfo(struct sk_buff skb, struct net net,
912	sph.spdhcnt = si.spdhcnt;	922	sph.spdhcnt = si.spdhcnt;
913	sph.spdhmcnt = si.spdhmcnt;	923	sph.spdhmcnt = si.spdhmcnt;
914		924
915	NLA_PUT(skb, XFRMA_SPD_INFO, sizeof(spc), &spc);	925	if (nla_put(skb, XFRMA_SPD_INFO, sizeof(spc), &spc) \|\|
916	NLA_PUT(skb, XFRMA_SPD_HINFO, sizeof(sph), &sph);	926	nla_put(skb, XFRMA_SPD_HINFO, sizeof(sph), &sph))
		927	goto nla_put_failure;
917		928
918	return nlmsg_end(skb, nlh);	929	return nlmsg_end(skb, nlh);
919		930
@@ -967,8 +978,9 @@ static int build_sadinfo(struct sk_buff skb, struct net net,
967	sh.sadhmcnt = si.sadhmcnt;	978	sh.sadhmcnt = si.sadhmcnt;
968	sh.sadhcnt = si.sadhcnt;	979	sh.sadhcnt = si.sadhcnt;
969		980
970	NLA_PUT_U32(skb, XFRMA_SAD_CNT, si.sadcnt);	981	if (nla_put_u32(skb, XFRMA_SAD_CNT, si.sadcnt) \|\|
971	NLA_PUT(skb, XFRMA_SAD_HINFO, sizeof(sh), &sh);	982	nla_put(skb, XFRMA_SAD_HINFO, sizeof(sh), &sh))
		983	goto nla_put_failure;
972		984
973	return nlmsg_end(skb, nlh);	985	return nlmsg_end(skb, nlh);
974		986
@@ -1690,21 +1702,27 @@ static int build_aevent(struct sk_buff skb, struct xfrm_state x, const struct
1690	id->reqid = x->props.reqid;	1702	id->reqid = x->props.reqid;
1691	id->flags = c->data.aevent;	1703	id->flags = c->data.aevent;
1692		1704
1693	if (x->replay_esn)	1705	if (x->replay_esn) {
1694	NLA_PUT(skb, XFRMA_REPLAY_ESN_VAL,	1706	if (nla_put(skb, XFRMA_REPLAY_ESN_VAL,
1695	xfrm_replay_state_esn_len(x->replay_esn),	1707	xfrm_replay_state_esn_len(x->replay_esn),
1696	x->replay_esn);	1708	x->replay_esn))
1697	else	1709	goto nla_put_failure;
1698	NLA_PUT(skb, XFRMA_REPLAY_VAL, sizeof(x->replay), &x->replay);	1710	} else {
1699		1711	if (nla_put(skb, XFRMA_REPLAY_VAL, sizeof(x->replay),
1700	NLA_PUT(skb, XFRMA_LTIME_VAL, sizeof(x->curlft), &x->curlft);	1712	&x->replay))
		1713	goto nla_put_failure;
		1714	}
		1715	if (nla_put(skb, XFRMA_LTIME_VAL, sizeof(x->curlft), &x->curlft))
		1716	goto nla_put_failure;
1701		1717
1702	if (id->flags & XFRM_AE_RTHR)	1718	if ((id->flags & XFRM_AE_RTHR) &&
1703	NLA_PUT_U32(skb, XFRMA_REPLAY_THRESH, x->replay_maxdiff);	1719	nla_put_u32(skb, XFRMA_REPLAY_THRESH, x->replay_maxdiff))
		1720	goto nla_put_failure;
1704		1721
1705	if (id->flags & XFRM_AE_ETHR)	1722	if ((id->flags & XFRM_AE_ETHR) &&
1706	NLA_PUT_U32(skb, XFRMA_ETIMER_THRESH,	1723	nla_put_u32(skb, XFRMA_ETIMER_THRESH,
1707	x->replay_maxage * 10 / HZ);	1724	x->replay_maxage * 10 / HZ))
		1725	goto nla_put_failure;
1708		1726
1709	if (xfrm_mark_put(skb, &x->mark))	1727	if (xfrm_mark_put(skb, &x->mark))
1710	goto nla_put_failure;	1728	goto nla_put_failure;
@@ -2835,8 +2853,9 @@ static int build_report(struct sk_buff *skb, u8 proto,
2835	ur->proto = proto;	2853	ur->proto = proto;
2836	memcpy(&ur->sel, sel, sizeof(ur->sel));	2854	memcpy(&ur->sel, sel, sizeof(ur->sel));
2837		2855
2838	if (addr)	2856	if (addr &&
2839	NLA_PUT(skb, XFRMA_COADDR, sizeof(*addr), addr);	2857	nla_put(skb, XFRMA_COADDR, sizeof(*addr), addr))
		2858	goto nla_put_failure;
2840		2859
2841	return nlmsg_end(skb, nlh);	2860	return nlmsg_end(skb, nlh);
2842		2861