xfrm: fix uctx len check in verify_sec_ctx_len

It's not sufficient to do 'uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len)' check only, as uctx->len may be greater than nla_len(rt), in which case it will cause slab-out-of-bounds when accessing uctx->ctx_str later. This patch is to fix it by return -EINVAL when uctx->len > nla_len(rt). Fixes: df71837d ("[LSM-IPSec]: Security association restriction.") Signed-off-by: N Xin Long <lucien.xin@gmail.com> Signed-off-by: N Steffen Klassert <steffen.klassert@secunet.com>

xfrm: fix uctx len check in verify_sec_ctx_len
It's not sufficient to do 'uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len)' check only, as uctx->len may be greater than nla_len(rt), in which case it will cause slab-out-of-bounds when accessing uctx->ctx_str later. This patch is to fix it by return -EINVAL when uctx->len > nla_len(rt). Fixes: df71837d ("[LSM-IPSec]: Security association restriction.") Signed-off-by: N Xin Long <lucien.xin@gmail.com> Signed-off-by: N Steffen Klassert <steffen.klassert@secunet.com>
171d449a · Xin Long · Steffen Klassert · f1ed1026 · 171d449a
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

net/xfrm/xfrm_user.c net/xfrm/xfrm_user.c +2 -1

未找到文件。
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -110,7 +110,8 @@ static inline int verify_sec_ctx_len(struct nlattr **attrs)
 		return 0;

 	uctx = nla_data(rt);
-	if (uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len))
+	if (uctx->len > nla_len(rt) ||
+	    uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len))
 		return -EINVAL;

 	return 0;