diff options
author | Suren Baghdasaryan <surenb@google.com> | 2017-08-15 15:12:24 -0700 |
---|---|---|
committer | Suren Baghdasaryan <surenb@google.com> | 2017-08-21 09:04:45 -0700 |
commit | 34803e7c1c92f53603f6aa11235915afc2589290 (patch) | |
tree | c7b680ed9bd156a97622c7a14335f743e5c3442c | |
parent | c2e26216b788c939e995b08f82d24de6212f99fd (diff) | |
download | common-34803e7c1c92f53603f6aa11235915afc2589290.tar.gz |
ANDROID: check dir value of xfrm_userpolicy_idASB-2017-11-06_4.9-o-releaseASB-2017-10-5_4.9-o-release
Check user provided dir value to prevent out-of-bound access
which may occur if dir is not less than XFRM_POLICY_MAX.
(url: http://seclists.org/bugtraq/2017/Jul/30)
Bug: 64257838
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I5bbdf95e14a61bdf5207977d9a5a4465bc848da0
-rw-r--r-- | net/xfrm/xfrm_user.c | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index a7e27e1140dd..b2bba35e90b6 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -1695,6 +1695,10 @@ static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb, struct sk_buff *skb; int err; + err = verify_policy_dir(dir); + if (err) + return ERR_PTR(err); + skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); if (!skb) return ERR_PTR(-ENOMEM); @@ -2216,6 +2220,10 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh, int n = 0; struct net *net = sock_net(skb->sk); + err = verify_policy_dir(pi->dir); + if (err) + return err; + if (attrs[XFRMA_MIGRATE] == NULL) return -EINVAL; @@ -2331,6 +2339,11 @@ static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, { struct net *net = &init_net; struct sk_buff *skb; + int err; + + err = verify_policy_dir(dir); + if (err) + return err; skb = nlmsg_new(xfrm_migrate_msgsize(num_migrate, !!k), GFP_ATOMIC); if (skb == NULL) @@ -2985,6 +2998,11 @@ out_free_skb: static int xfrm_send_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c) { + int err; + + err = verify_policy_dir(dir); + if (err) + return err; switch (c->event) { case XFRM_MSG_NEWPOLICY: |