diff options
author | Kevin Easton <kevin@guarana.org> | 2018-04-07 11:40:33 -0400 |
---|---|---|
committer | Steffen Klassert <steffen.klassert@secunet.com> | 2018-04-09 07:06:38 +0200 |
commit | 4b66af2d6356a00e94bcdea3e7fea324e8b5c6f4 (patch) | |
tree | 3efe012a7d80247996cbca68eff8aca7894853c5 /net/ipv6/xfrm6_tunnel.c | |
parent | 76327a35caabd1a932e83d6a42b967aa08584e5d (diff) | |
download | linux-4b66af2d6356a00e94bcdea3e7fea324e8b5c6f4.tar.gz |
af_key: Always verify length of provided sadb_key
Key extensions (struct sadb_key) include a user-specified number of key bits. The kernel uses that number to determine how much key data to copy out of the message in pfkey_msg2xfrm_state(). The length of the sadb_key message must be verified to be long enough, even in the case of SADB_X_AALG_NULL. Furthermore, the sadb_key_len value must be long enough to include both the key data and the struct sadb_key itself. Introduce a helper function verify_key_len(), and call it from parse_exthdrs() where other exthdr types are similarly checked for correctness. Signed-off-by: Kevin Easton <kevin@guarana.org> Reported-by: syzbot+5022a34ca5a3d49b84223653fab632dfb7b4cf37@syzkaller.appspotmail.com Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'net/ipv6/xfrm6_tunnel.c')
0 files changed, 0 insertions, 0 deletions