1 files changed, 21 insertions, 0 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index fc152d28753c..ccc4c0c8ef00 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -360,6 +360,23 @@ static int attach_aead(struct xfrm_algo_aead **algpp, u8 *props,
        return 0;
 }
+static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_esn,
+                                         struct nlattr *rp)
+{
+        struct xfrm_replay_state_esn *up;
+        if (!replay_esn || !rp)
+                return 0;
+        up = nla_data(rp);
+        if (xfrm_replay_state_esn_len(replay_esn) !=
+                        xfrm_replay_state_esn_len(up))
+                return -EINVAL;
+        return 0;
+}
 static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn,
                                       struct xfrm_replay_state_esn **preplay_esn,
                                       struct nlattr *rta)
@@ -1766,6 +1783,10 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
        if (x->km.state != XFRM_STATE_VALID)
                goto out;
+        err = xfrm_replay_verify_len(x->replay_esn, rp);
+        if (err)
+                goto out;
        spin_lock_bh(&x->lock);
        xfrm_update_ae_params(x, attrs);
        spin_unlock_bh(&x->lock);

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index fc152d28753c..ccc4c0c8ef00 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c
@@ -360,6 +360,23 @@ static int attach_aead(struct xfrm_algo_aead *algpp, u8 props,
360	return 0;	360	return 0;
361	}	361	}
362		362
		363	static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_esn,
		364	struct nlattr *rp)
		365	{
		366	struct xfrm_replay_state_esn *up;
		367
		368	if (!replay_esn \|\| !rp)
		369	return 0;
		370
		371	up = nla_data(rp);
		372
		373	if (xfrm_replay_state_esn_len(replay_esn) !=
		374	xfrm_replay_state_esn_len(up))
		375	return -EINVAL;
		376
		377	return 0;
		378	}
		379
363	static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn,	380	static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn,
364	struct xfrm_replay_state_esn **preplay_esn,	381	struct xfrm_replay_state_esn **preplay_esn,
365	struct nlattr *rta)	382	struct nlattr *rta)
@@ -1766,6 +1783,10 @@ static int xfrm_new_ae(struct sk_buff skb, struct nlmsghdr nlh,
1766	if (x->km.state != XFRM_STATE_VALID)	1783	if (x->km.state != XFRM_STATE_VALID)
1767	goto out;	1784	goto out;
1768		1785
		1786	err = xfrm_replay_verify_len(x->replay_esn, rp);
		1787	if (err)
		1788	goto out;
		1789
1769	spin_lock_bh(&x->lock);	1790	spin_lock_bh(&x->lock);
1770	xfrm_update_ae_params(x, attrs);	1791	xfrm_update_ae_params(x, attrs);
1771	spin_unlock_bh(&x->lock);	1792	spin_unlock_bh(&x->lock);