Commit d90c9024 authored by Steffen Klassert's avatar Steffen Klassert
Browse files

af_key: Fix slab-out-of-bounds in pfkey_compile_policy. 



The sadb_x_sec_len is stored in the unit 'byte divided by eight'.
So we have to multiply this value by eight before we can do
size checks. Otherwise we may get a slab-out-of-bounds when
we memcpy the user sec_ctx.

Fixes: df71837d ("[LSM-IPSec]: Security association restriction.")
Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
parent 9b3eb541

net/key/af_key.c

+1 −1
Original line number Diff line number Diff line
@@ -3285,7 +3285,7 @@ static struct xfrm_policy *pfkey_compile_policy(struct sock *sk, int opt, 
		p += pol->sadb_x_policy_len*8;

		sec_ctx = (struct sadb_x_sec_ctx *)p;

		if (len < pol->sadb_x_policy_len*8 +

		    sec_ctx->sadb_x_sec_len) {

		    sec_ctx->sadb_x_sec_len*8) {

			*dir = -EINVAL;

			goto out;

		}

CRA Git | Maintained and supported by SUSTech CRA and CCSE