未验证 提交 44a28dc2 编写于 作者: O openeuler-ci-bot 提交者: Gitee

!1311 Fix CVE-2023-2860

Merge Pull Request from: @ziyang-xuan 
 
The SRv6 layer allows defining HMAC data that can later be used to sign IPv6 Segment Routing Headers.
Because the SECRETLEN attribute is decoupled from the actual length of the SECRET attribute, it is possible to provide invalid combinations(e.g., secret = "", secretlen = 64). This case is not checked in the code and with an appropriately crafted netlink message, an out-of-bounds read of up to 64 bytes (max secret length) can occur past the skb end pointer and into skb_shared_info. 
 
Link:https://gitee.com/openeuler/kernel/pulls/1311 

Reviewed-by: Yue Haibing <yuehaibing@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 
...@@ -135,6 +135,11 @@ static int seg6_genl_sethmac(struct sk_buff *skb, struct genl_info *info) ...@@ -135,6 +135,11 @@ static int seg6_genl_sethmac(struct sk_buff *skb, struct genl_info *info)
goto out_unlock; goto out_unlock;
} }
if (slen > nla_len(info->attrs[SEG6_ATTR_SECRET])) {
err = -EINVAL;
goto out_unlock;
}
if (hinfo) { if (hinfo) {
err = seg6_hmac_info_del(net, hmackeyid); err = seg6_hmac_info_del(net, hmackeyid);
if (err) if (err)
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册