af_key: Fix slab-out-of-bounds in pfkey_compile_policy.
The sadb_x_sec_len is stored in the unit 'byte divided by eight'.
So we have to multiply this value by eight before we can do
size checks. Otherwise we may get a slab-out-of-bounds when
we memcpy the user sec_ctx.
Fixes: df71837d50
("[LSM-IPSec]: Security association restriction.")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
This commit is contained in:
parent
9b3eb54106
commit
d90c902449
1 changed files with 1 additions and 1 deletions
|
@ -3285,7 +3285,7 @@ static struct xfrm_policy *pfkey_compile_policy(struct sock *sk, int opt,
|
|||
p += pol->sadb_x_policy_len*8;
|
||||
sec_ctx = (struct sadb_x_sec_ctx *)p;
|
||||
if (len < pol->sadb_x_policy_len*8 +
|
||||
sec_ctx->sadb_x_sec_len) {
|
||||
sec_ctx->sadb_x_sec_len*8) {
|
||||
*dir = -EINVAL;
|
||||
goto out;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue