af_key: Fix slab-out-of-bounds in pfkey_compile_policy.
authorSteffen Klassert <steffen.klassert@secunet.com>
Fri, 5 May 2017 05:40:42 +0000 (07:40 +0200)
committerSteffen Klassert <steffen.klassert@secunet.com>
Mon, 8 May 2017 06:03:01 +0000 (08:03 +0200)
The sadb_x_sec_len is stored in the unit 'byte divided by eight'.
So we have to multiply this value by eight before we can do
size checks. Otherwise we may get a slab-out-of-bounds when
we memcpy the user sec_ctx.

Fixes: df71837d502 ("[LSM-IPSec]: Security association restriction.")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
net/key/af_key.c

index c1950bb14735bc914b53c0476342f2679ad50b87..512dc43d0ce6814f0a6d0507805025d75234eece 100644 (file)
@@ -3285,7 +3285,7 @@ static struct xfrm_policy *pfkey_compile_policy(struct sock *sk, int opt,
                p += pol->sadb_x_policy_len*8;
                sec_ctx = (struct sadb_x_sec_ctx *)p;
                if (len < pol->sadb_x_policy_len*8 +
-                   sec_ctx->sadb_x_sec_len) {
+                   sec_ctx->sadb_x_sec_len*8) {
                        *dir = -EINVAL;
                        goto out;
                }