Commit b025c3e5 authored by Steffen Klassert's avatar Steffen Klassert Committed by Ben Hutchings

af_key: Fix slab-out-of-bounds in pfkey_compile_policy.

commit d90c9024 upstream.

The sadb_x_sec_len is stored in the unit 'byte divided by eight'.
So we have to multiply this value by eight before we can do
size checks. Otherwise we may get a slab-out-of-bounds when
we memcpy the user sec_ctx.

Fixes: df71837d ("[LSM-IPSec]: Security association restriction.")
Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
parent 4a69eeed
...@@ -3282,7 +3282,7 @@ static struct xfrm_policy *pfkey_compile_policy(struct sock *sk, int opt, ...@@ -3282,7 +3282,7 @@ static struct xfrm_policy *pfkey_compile_policy(struct sock *sk, int opt,
p += pol->sadb_x_policy_len*8; p += pol->sadb_x_policy_len*8;
sec_ctx = (struct sadb_x_sec_ctx *)p; sec_ctx = (struct sadb_x_sec_ctx *)p;
if (len < pol->sadb_x_policy_len*8 + if (len < pol->sadb_x_policy_len*8 +
sec_ctx->sadb_x_sec_len) { sec_ctx->sadb_x_sec_len*8) {
*dir = -EINVAL; *dir = -EINVAL;
goto out; goto out;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment