diff options
Diffstat (limited to 'xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch')
| -rw-r--r-- | xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch | 53 |
1 files changed, 0 insertions, 53 deletions
diff --git a/xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch b/xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch deleted file mode 100644 index 0767c4c5ad80..000000000000 --- a/xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch +++ /dev/null @@ -1,53 +0,0 @@ -From patchwork Fri Dec 22 09:44:57 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [4/8] xfrm: Fix stack-out-of-bounds read on socket policy lookup. -X-Patchwork-Submitter: Steffen Klassert <steffen.klassert@secunet.com> -X-Patchwork-Id: 852277 -X-Patchwork-Delegate: davem@davemloft.net -Message-Id: <20171222094501.23345-5-steffen.klassert@secunet.com> -To: David Miller <davem@davemloft.net> -Cc: Herbert Xu <herbert@gondor.apana.org.au>, - Steffen Klassert <steffen.klassert@secunet.com>, <netdev@vger.kernel.org> -Date: Fri, 22 Dec 2017 10:44:57 +0100 -From: Steffen Klassert <steffen.klassert@secunet.com> -List-Id: <netdev.vger.kernel.org> - -When we do tunnel or beet mode, we pass saddr and daddr from the -template to xfrm_state_find(), this is ok. On transport mode, -we pass the addresses from the flowi, assuming that the IP -addresses (and address family) don't change during transformation. -This assumption is wrong in the IPv4 mapped IPv6 case, packet -is IPv4 and template is IPv6. - -Fix this by catching address family missmatches of the policy -and the flow already before we do the lookup. - -Reported-by: syzbot <syzkaller@googlegroups.com> -Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> ---- - net/xfrm/xfrm_policy.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c -index 9542975eb2f9..038ec68f6901 100644 ---- a/net/xfrm/xfrm_policy.c -+++ b/net/xfrm/xfrm_policy.c -@@ -1168,9 +1168,15 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir, - again: - pol = rcu_dereference(sk->sk_policy[dir]); - if (pol != NULL) { -- bool match = xfrm_selector_match(&pol->selector, fl, family); -+ bool match; - int err = 0; - -+ if (pol->family != family) { -+ pol = NULL; -+ goto out; -+ } -+ -+ match = xfrm_selector_match(&pol->selector, fl, family); - if (match) { - if ((sk->sk_mark & pol->mark.m) != pol->mark.v) { - pol = NULL; |