!1311 Fix CVE-2023-2860

Merge Pull Request from: @ziyang-xuan The SRv6 layer allows defining HMAC data that can later be used to sign IPv6 Segment Routing Headers. Because the SECRETLEN attribute is decoupled from the actual length of the SECRET attribute, it is possible to provide invalid combinations(e.g., secret = "", secretlen = 64). This case is not checked in the code and with an appropriately crafted netlink message, an out-of-bounds read of up to 64 bytes (max secret length) can occur past the skb end pointer and into skb_shared_info. Link:https://gitee.com/openeuler/kernel/pulls/1311 Reviewed-by: Yue Haibing <yuehaibing@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>

!1311 Fix CVE-2023-2860
Merge Pull Request from: @ziyang-xuan The SRv6 layer allows defining HMAC data that can later be used to sign IPv6 Segment Routing Headers. Because the SECRETLEN attribute is decoupled from the actual length of the SECRET attribute, it is possible to provide invalid combinations(e.g., secret = "", secretlen = 64). This case is not checked in the code and with an appropriately crafted netlink message, an out-of-bounds read of up to 64 bytes (max secret length) can occur past the skb end pointer and into skb_shared_info. Link:https://gitee.com/openeuler/kernel/pulls/1311 Reviewed-by: Yue Haibing <yuehaibing@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
44a28dc2 · openeuler-ci-bot · Gitee · bd71d79e · 4aff8239 · 44a28dc2
隐藏空白更改
内联并排

Showing with 5 addition and 0 deletion

net/ipv6/seg6.c net/ipv6/seg6.c +5 -0

未找到文件。
--- a/net/ipv6/seg6.c
+++ b/net/ipv6/seg6.c
@@ -135,6 +135,11 @@ static int seg6_genl_sethmac(struct sk_buff *skb, struct genl_info *info)
 		goto out_unlock;
 	}

+	if (slen > nla_len(info->attrs[SEG6_ATTR_SECRET])) {
+		err = -EINVAL;
+		goto out_unlock;
+	}
+
 	if (hinfo) {
 		err = seg6_hmac_info_del(net, hmackeyid);
 		if (err)