From: Steffen Klassert <steffen.klassert@secunet.com>
To: Kevin Easton <kevin@guarana.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>, <netdev@vger.kernel.org>,
<linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2 1/2] af_key: Always verify length of provided sadb_key
Date: Mon, 9 Apr 2018 12:33:39 +0200 [thread overview]
Message-ID: <20180409103339.jtkfg7xhjmjy772o@gauss3.secunet.de> (raw)
In-Reply-To: <de803d3d01f8b70d306c0d52569cc5265ed20bc9.1523115061.git.kevin@guarana.org>
On Sat, Apr 07, 2018 at 11:40:33AM -0400, Kevin Easton wrote:
> Key extensions (struct sadb_key) include a user-specified number of key
> bits. The kernel uses that number to determine how much key data to copy
> out of the message in pfkey_msg2xfrm_state().
>
> The length of the sadb_key message must be verified to be long enough,
> even in the case of SADB_X_AALG_NULL. Furthermore, the sadb_key_len value
> must be long enough to include both the key data and the struct sadb_key
> itself.
>
> Introduce a helper function verify_key_len(), and call it from
> parse_exthdrs() where other exthdr types are similarly checked for
> correctness.
>
> Signed-off-by: Kevin Easton <kevin@guarana.org>
> Reported-by: syzbot+5022a34ca5a3d49b84223653fab632dfb7b4cf37@syzkaller.appspotmail.com
Applied to the ipsec tree, thanks Kevin!
next prev parent reply other threads:[~2018-04-09 10:33 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-07 15:40 [PATCH v2 0/2] af_key: Fix for sadb_key memcpy read overrun Kevin Easton
2018-04-07 15:40 ` [PATCH v2 1/2] af_key: Always verify length of provided sadb_key Kevin Easton
2018-04-09 10:33 ` Steffen Klassert [this message]
2018-04-07 15:40 ` [PATCH v2 2/2] af_key: Use DIV_ROUND_UP() instead of open-coded equivalent Kevin Easton
2018-04-09 10:34 ` Steffen Klassert
2018-04-10 11:38 ` Kevin Easton
2018-04-09 10:32 ` [PATCH v2 0/2] af_key: Fix for sadb_key memcpy read overrun Steffen Klassert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180409103339.jtkfg7xhjmjy772o@gauss3.secunet.de \
--to=steffen.klassert@secunet.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=kevin@guarana.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.