Google Git
Sign in
kernel/pub/scm/linux/kernel/git/klassert/ipsec-next.git/refs/heads/master^!/.
commit
41c4d3b26f5e23609cd4b5ca561a399a097daabe
[log]
author
David Ahern <dahern@nvidia.com>
Wed May 13 10:50:24 2026 -0600
committer
Steffen Klassert <steffen.klassert@secunet.com>
Thu May 14 10:24:10 2026 +0200
tree
133d547a707ddfd0cb3edb3de3bc2e5669d9abf2
parent
a77d172177f3754ebd70123c78c75a6efa9eec2a [diff]
xfrm: Reject excessive values for XFRMA_TFCPAD

tfcpad is a u32, but that full range is excessive for padding.
Limit it to max IP length (64k).

Signed-off-by: David Ahern <dahern@nvidia.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index ae144d1..e87f33a 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c

@@ -937,8 +937,14 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
 				   attrs[XFRMA_ALG_COMP], extack)))
 		goto error;
 
-	if (attrs[XFRMA_TFCPAD])
+	if (attrs[XFRMA_TFCPAD]) {
 		x->tfcpad = nla_get_u32(attrs[XFRMA_TFCPAD]);
+		if (x->tfcpad > IP_MAX_MTU) {
+			NL_SET_ERR_MSG(extack, "Excessive TFC padding");
+			err = -EINVAL;
+			goto error;
+		}
+	}
 
 	xfrm_mark_get(attrs, &x->mark);