All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH iproute2] ip xfrm: use correct key length for netlink message
@ 2017-09-29 11:41 Michal Kubecek
  2017-10-01 20:48 ` Stephen Hemminger
  0 siblings, 1 reply; 2+ messages in thread
From: Michal Kubecek @ 2017-09-29 11:41 UTC (permalink / raw)
  To: Stephen Hemminger; +Cc: netdev

When SA is added manually using "ip xfrm state add", xfrm_state_modify()
uses alg_key_len field of struct xfrm_algo for the length of key passed to
kernel in the netlink message. However alg_key_len is bit length of the key
while we need byte length here. This is usually harmless as kernel ignores
the excess data but when the bit length of the key exceeds 512
(XFRM_ALGO_KEY_BUF_SIZE), it can result in buffer overflow.

We can simply divide by 8 here as the only place setting alg_key_len is in
xfrm_algo_parse() where it is always set to a multiple of 8 (and there are
already multiple places using "algo->alg_key_len / 8").

Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
---
 ip/xfrm_state.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ip/xfrm_state.c b/ip/xfrm_state.c
index 4483fb8f71d2..99fdec2325ec 100644
--- a/ip/xfrm_state.c
+++ b/ip/xfrm_state.c
@@ -539,7 +539,7 @@ static int xfrm_state_modify(int cmd, unsigned int flags, int argc, char **argv)
 
 				xfrm_algo_parse((void *)&alg, type, name, key,
 						buf, sizeof(alg.buf));
-				len += alg.u.alg.alg_key_len;
+				len += alg.u.alg.alg_key_len / 8;
 
 				addattr_l(&req.n, sizeof(req.buf), type,
 					  (void *)&alg, len);
-- 
2.14.2

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH iproute2] ip xfrm: use correct key length for netlink message
  2017-09-29 11:41 [PATCH iproute2] ip xfrm: use correct key length for netlink message Michal Kubecek
@ 2017-10-01 20:48 ` Stephen Hemminger
  0 siblings, 0 replies; 2+ messages in thread
From: Stephen Hemminger @ 2017-10-01 20:48 UTC (permalink / raw)
  To: Michal Kubecek; +Cc: netdev

On Fri, 29 Sep 2017 13:41:05 +0200 (CEST)
Michal Kubecek <mkubecek@suse.cz> wrote:

> When SA is added manually using "ip xfrm state add", xfrm_state_modify()
> uses alg_key_len field of struct xfrm_algo for the length of key passed to
> kernel in the netlink message. However alg_key_len is bit length of the key
> while we need byte length here. This is usually harmless as kernel ignores
> the excess data but when the bit length of the key exceeds 512
> (XFRM_ALGO_KEY_BUF_SIZE), it can result in buffer overflow.
> 
> We can simply divide by 8 here as the only place setting alg_key_len is in
> xfrm_algo_parse() where it is always set to a multiple of 8 (and there are
> already multiple places using "algo->alg_key_len / 8").
> 
> Signed-off-by: Michal Kubecek <mkubecek@suse.cz>

This looks correct applied.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-10-01 20:49 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-29 11:41 [PATCH iproute2] ip xfrm: use correct key length for netlink message Michal Kubecek
2017-10-01 20:48 ` Stephen Hemminger

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.