diff options
| author | Steffen Klassert <steffen.klassert@secunet.com> | 2017-12-08 08:07:25 +0100 |
|---|---|---|
| committer | Eric Olsen <eolsen@google.com> | 2018-07-06 14:12:32 -0700 |
| commit | 8ae00a4dce7333bbd508cf7a93f2a03ceea8f6f5 (patch) | |
| tree | 523f27bcdbee8e210594eee274c2d0ee0f652c5e | |
| parent | 08825f77700d23eef4ef00e0e4783a9067953192 (diff) | |
| download | qcom-msm8x09-v3.10-8ae00a4dce7333bbd508cf7a93f2a03ceea8f6f5.tar.gz | |
xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies.
On policies with a transport mode template, we pass the addresses
from the flowi to xfrm_state_find(), assuming that the IP addresses
(and address family) don't change during transformation.
Unfortunately our policy template validation is not strict enough.
It is possible to configure policies with transport mode template
where the address family of the template does not match the selectors
address family. This lead to stack-out-of-bound reads because
we compare arddesses of the wrong family. Fix this by refusing
such a configuration, address family can not change on transport
mode.
We use the assumption that, on transport mode, the first templates
address family must match the address family of the policy selector.
Subsequent transport mode templates must mach the address family of
the previous template.
Change-Id: I33678e32df020045f419f38fc4d955863c42409a
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Git-commit: 732706afe1cc46ef48493b3d2b69c98f36314ae4
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Tejaswi Tanikella <tejaswit@codeaurora.org>
Acked-by: Sharath Chandra Vurukala <sharathv@qti.qualcomm.com>
| -rw-r--r-- | net/xfrm/xfrm_user.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index c7dac175965..7b7cb305dfb 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -1273,11 +1273,14 @@ static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut, static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) { + u16 prev_family; int i; if (nr > XFRM_MAX_DEPTH) return -EINVAL; + prev_family = family; + for (i = 0; i < nr; i++) { /* We never validated the ut->family value, so many * applications simply leave it at zero. The check was @@ -1289,6 +1292,12 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) if (!ut[i].family) ut[i].family = family; + if ((ut[i].mode == XFRM_MODE_TRANSPORT) && + (ut[i].family != prev_family)) + return -EINVAL; + + prev_family = ut[i].family; + switch (ut[i].family) { case AF_INET: break; |