All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH ipsec] xfrm: fix uctx len check in verify_sec_ctx_len
@ 2020-02-09 13:15 Xin Long
  2020-02-13  9:55 ` Steffen Klassert
  0 siblings, 1 reply; 2+ messages in thread
From: Xin Long @ 2020-02-09 13:15 UTC (permalink / raw)
  To: netdev
  Cc: Steffen Klassert, Herbert Xu, David S. Miller, Trent Jaeger,
	Jamal Hadi Salim, Sabrina Dubroca

It's not sufficient to do 'uctx->len != (sizeof(struct xfrm_user_sec_ctx) +
uctx->ctx_len)' check only, as uctx->len may be greater than nla_len(rt),
in which case it will cause slab-out-of-bounds when accessing uctx->ctx_str
later.

This patch is to fix it by return -EINVAL when uctx->len > nla_len(rt).

Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
 net/xfrm/xfrm_user.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index b88ba45..38ff02d 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -110,7 +110,8 @@ static inline int verify_sec_ctx_len(struct nlattr **attrs)
 		return 0;
 
 	uctx = nla_data(rt);
-	if (uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len))
+	if (uctx->len > nla_len(rt) ||
+	    uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len))
 		return -EINVAL;
 
 	return 0;
-- 
2.1.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH ipsec] xfrm: fix uctx len check in verify_sec_ctx_len
  2020-02-09 13:15 [PATCH ipsec] xfrm: fix uctx len check in verify_sec_ctx_len Xin Long
@ 2020-02-13  9:55 ` Steffen Klassert
  0 siblings, 0 replies; 2+ messages in thread
From: Steffen Klassert @ 2020-02-13  9:55 UTC (permalink / raw)
  To: Xin Long
  Cc: netdev, Herbert Xu, David S. Miller, Trent Jaeger,
	Jamal Hadi Salim, Sabrina Dubroca

On Sun, Feb 09, 2020 at 09:15:29PM +0800, Xin Long wrote:
> It's not sufficient to do 'uctx->len != (sizeof(struct xfrm_user_sec_ctx) +
> uctx->ctx_len)' check only, as uctx->len may be greater than nla_len(rt),
> in which case it will cause slab-out-of-bounds when accessing uctx->ctx_str
> later.
> 
> This patch is to fix it by return -EINVAL when uctx->len > nla_len(rt).
> 
> Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.")
> Signed-off-by: Xin Long <lucien.xin@gmail.com>

Applied, thanks!

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-02-13  9:55 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-09 13:15 [PATCH ipsec] xfrm: fix uctx len check in verify_sec_ctx_len Xin Long
2020-02-13  9:55 ` Steffen Klassert

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.