| From ca3c37e1f304a3a40f0b409608088d3683d30eb0 Mon Sep 17 00:00:00 2001 |
| From: Steffen Klassert <steffen.klassert@secunet.com> |
| Date: Wed, 1 Aug 2018 13:45:11 +0200 |
| Subject: xfrm: Validate address prefix lengths in the xfrm selector. |
| |
| [ Upstream commit 07bf7908950a8b14e81aa1807e3c667eab39287a ] |
| |
| We don't validate the address prefix lengths in the xfrm |
| selector we got from userspace. This can lead to undefined |
| behaviour in the address matching functions if the prefix |
| is too big for the given address family. Fix this by checking |
| the prefixes and refuse SA/policy insertation when a prefix |
| is invalid. |
| |
| Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") |
| Reported-by: Air Icy <icytxw@gmail.com> |
| Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| net/xfrm/xfrm_user.c | 12 ++++++++++++ |
| 1 file changed, 12 insertions(+) |
| |
| diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c |
| index 6e768093d7c8..b7ac834a6091 100644 |
| --- a/net/xfrm/xfrm_user.c |
| +++ b/net/xfrm/xfrm_user.c |
| @@ -151,10 +151,16 @@ static int verify_newsa_info(struct xfrm_usersa_info *p, |
| err = -EINVAL; |
| switch (p->family) { |
| case AF_INET: |
| + if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) |
| + goto out; |
| + |
| break; |
| |
| case AF_INET6: |
| #if IS_ENABLED(CONFIG_IPV6) |
| + if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128) |
| + goto out; |
| + |
| break; |
| #else |
| err = -EAFNOSUPPORT; |
| @@ -1316,10 +1322,16 @@ static int verify_newpolicy_info(struct xfrm_userpolicy_info *p) |
| |
| switch (p->sel.family) { |
| case AF_INET: |
| + if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) |
| + return -EINVAL; |
| + |
| break; |
| |
| case AF_INET6: |
| #if IS_ENABLED(CONFIG_IPV6) |
| + if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128) |
| + return -EINVAL; |
| + |
| break; |
| #else |
| return -EAFNOSUPPORT; |
| -- |
| 2.17.1 |
| |