af_key: Fix slab-out-of-bounds in pfkey_compile_policy.

[ Upstream commit d90c902449a7561f1b1d58ba5a0d11728ce8b0b2 ] The sadb_x_sec_len is stored in the unit 'byte divided by eight'. So we have to multiply this value by eight before we can do size checks. Otherwise we may get a slab-out-of-bounds when we memcpy the user sec_ctx. Fixes: df71837d502 ("[LSM-IPSec]: Security association restriction.") Reported-by: Andrey Konovalov <andreyknvl@google.com> Tested-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Steffen Klassert <steffen.klassert@secunet.com> 2017-05-05 07:40:42 +0200
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-04-13 19:47:51 +0200
commit: a587acdbb01fa549b9fdc272d079398379b0e25e (patch)
tree: f9c2047af15e3f72eced849f0ff0ea5b233ce71c /net
parent: 84284968156340dce4e942b1cebea66c3d4f8146 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 6482b001f19a..15150b412930 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -3305,7 +3305,7 @@ static struct xfrm_policy *pfkey_compile_policy(struct sock *sk, int opt,
 		p += pol->sadb_x_policy_len*8;
 		sec_ctx = (struct sadb_x_sec_ctx *)p;
 		if (len < pol->sadb_x_policy_len*8 +
-		    sec_ctx->sadb_x_sec_len) {
+		    sec_ctx->sadb_x_sec_len*8) {
 			*dir = -EINVAL;
 			goto out;
 		}
author	Steffen Klassert <steffen.klassert@secunet.com>	2017-05-05 07:40:42 +0200
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-04-13 19:47:51 +0200
commit	a587acdbb01fa549b9fdc272d079398379b0e25e (patch)
tree	f9c2047af15e3f72eced849f0ff0ea5b233ce71c /net
parent	84284968156340dce4e942b1cebea66c3d4f8146 (diff)