Commit 171d449a authored by Xin Long's avatar Xin Long Committed by Steffen Klassert
Browse files

xfrm: fix uctx len check in verify_sec_ctx_len 



It's not sufficient to do 'uctx->len != (sizeof(struct xfrm_user_sec_ctx) +
uctx->ctx_len)' check only, as uctx->len may be greater than nla_len(rt),
in which case it will cause slab-out-of-bounds when accessing uctx->ctx_str
later.

This patch is to fix it by return -EINVAL when uctx->len > nla_len(rt).

Fixes: df71837d ("[LSM-IPSec]: Security association restriction.")
Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
parent f1ed1026

net/xfrm/xfrm_user.c

+2 −1
Original line number Diff line number Diff line
@@ -110,7 +110,8 @@ static inline int verify_sec_ctx_len(struct nlattr **attrs) 
		return 0;



	uctx = nla_data(rt);

	if (uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len))

	if (uctx->len > nla_len(rt) ||

	    uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len))

		return -EINVAL;



	return 0;

CRA Git | Maintained and supported by SUSTech CRA and CCSE