• M
    xfrm_user: ensure user supplied esn replay window is valid · ecd79187
    Mathias Krause 提交于
    The current code fails to ensure that the netlink message actually
    contains as many bytes as the header indicates. If a user creates a new
    state or updates an existing one but does not supply the bytes for the
    whole ESN replay window, the kernel copies random heap bytes into the
    replay bitmap, the ones happen to follow the XFRMA_REPLAY_ESN_VAL
    netlink attribute. This leads to following issues:
    
    1. The replay window has random bits set confusing the replay handling
       code later on.
    
    2. A malicious user could use this flaw to leak up to ~3.5kB of heap
       memory when she has access to the XFRM netlink interface (requires
       CAP_NET_ADMIN).
    
    Known users of the ESN replay window are strongSwan and Steffen's
    iproute2 patch (<http://patchwork.ozlabs.org/patch/85962/>). The latter
    uses the interface with a bitmap supplied while the former does not.
    strongSwan is therefore prone to run into issue 1.
    
    To fix both issues without breaking existing userland allow using the
    XFRMA_REPLAY_ESN_VAL netlink attribute with either an empty bitmap or a
    fully specified one. For the former case we initialize the in-kernel
    bitmap with zero, for the latter we copy the user supplied bitmap. For
    state updates the full bitmap must be supplied.
    
    To prevent overflows in the bitmap length calculation the maximum size
    of bmp_len is limited to 128 by this patch -- resulting in a maximum
    replay window of 4096 packets. This should be sufficient for all real
    life scenarios (RFC 4303 recommends a default replay window size of 64).
    
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Cc: Martin Willi <martin@revosec.ch>
    Cc: Ben Hutchings <bhutchings@solarflare.com>
    Signed-off-by: NMathias Krause <minipli@googlemail.com>
    Signed-off-by: NDavid S. Miller <davem@davemloft.net>
    ecd79187
xfrm.h 10.7 KB