xfrm: fix uctx len check in verify_sec_ctx_len

commit 171d449a028573b2f0acdc7f31ecbb045391b320 upstream. It's not sufficient to do 'uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len)' check only, as uctx->len may be greater than nla_len(rt), in which case it will cause slab-out-of-bounds when accessing uctx->ctx_str later. This patch is to fix it by return -EINVAL when uctx->len > nla_len(rt). Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.") Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Xin Long <lucien.xin@gmail.com> 2020-02-09 21:15:29 +0800
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-04-02 17:20:34 +0200
commit: fa40d12e2f5026399996ca8f367b99c3fa468605 (patch)
tree: 8303f74fef08c0ef9e291b59fad544732f2c938e /net
parent: 0807f59465b3c3424eebf2488c8cc7b45161e2a5 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index ff641b2e1577..3d1cd36befa7 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -109,7 +109,8 @@ static inline int verify_sec_ctx_len(struct nlattr **attrs)
 		return 0;
 
 	uctx = nla_data(rt);
-	if (uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len))
+	if (uctx->len > nla_len(rt) ||
+	    uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len))
 		return -EINVAL;
 
 	return 0;
author	Xin Long <lucien.xin@gmail.com>	2020-02-09 21:15:29 +0800
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2020-04-02 17:20:34 +0200
commit	fa40d12e2f5026399996ca8f367b99c3fa468605 (patch)
tree	8303f74fef08c0ef9e291b59fad544732f2c938e /net
parent	0807f59465b3c3424eebf2488c8cc7b45161e2a5 (diff)