xfrm: Restrict SA direction attribute to specific netlink message types

Reject the usage of the SA_DIR attribute in xfrm netlink messages when
it's not applicable. This ensures that SA_DIR is only accepted for
certain message types (NEWSA, UPDSA, and ALLOCSPI)

Signed-off-by: Antony Antony <antony.antony@secunet.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index f5eb3af4fb8111ba0c0141995f229c03f8817e8f..e83c687bd64ee9c80de7c9cbfc91d5b6dcbff3fb 100644 (file)
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -3213,6 +3213,24 @@ static const struct xfrm_link {
        [XFRM_MSG_GETDEFAULT  - XFRM_MSG_BASE] = { .doit = xfrm_get_default   },
 };
 
+static int xfrm_reject_unused_attr(int type, struct nlattr **attrs,
+                                  struct netlink_ext_ack *extack)
+{
+       if (attrs[XFRMA_SA_DIR]) {
+               switch (type) {
+               case XFRM_MSG_NEWSA:
+               case XFRM_MSG_UPDSA:
+               case XFRM_MSG_ALLOCSPI:
+                       break;
+               default:
+                       NL_SET_ERR_MSG(extack, "Invalid attribute SA_DIR");
+                       return -EINVAL;
+               }
+       }
+
+       return 0;
+}
+
 static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
                             struct netlink_ext_ack *extack)
 {
@@ -3272,6 +3290,12 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
        if (err < 0)
                goto err;
 
+       if (!link->nla_pol || link->nla_pol == xfrma_policy) {
+               err = xfrm_reject_unused_attr((type + XFRM_MSG_BASE), attrs, extack);
+               if (err < 0)
+                       goto err;
+       }
+
        if (link->doit == NULL) {
                err = -EINVAL;
                goto err;