Re: [PATCH v2 1/2] af_key: Always verify length of provided sadb_key

From: Steffen Klassert
Date: Mon Apr 09 2018 - 06:33:50 EST

Next message: Steffen Klassert: "Re: [PATCH v2 2/2] af_key: Use DIV_ROUND_UP() instead of open-coded equivalent"
Previous message: Steffen Klassert: "Re: [PATCH v2 0/2] af_key: Fix for sadb_key memcpy read overrun"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Apr 07, 2018 at 11:40:33AM -0400, Kevin Easton wrote:
> Key extensions (struct sadb_key) include a user-specified number of key
> bits. The kernel uses that number to determine how much key data to copy
> out of the message in pfkey_msg2xfrm_state().
>
> The length of the sadb_key message must be verified to be long enough,
> even in the case of SADB_X_AALG_NULL. Furthermore, the sadb_key_len value
> must be long enough to include both the key data and the struct sadb_key
> itself.
>
> Introduce a helper function verify_key_len(), and call it from
> parse_exthdrs() where other exthdr types are similarly checked for
> correctness.
>
> Signed-off-by: Kevin Easton <kevin@xxxxxxxxxxx>
> Reported-by: syzbot+5022a34ca5a3d49b84223653fab632dfb7b4cf37@xxxxxxxxxxxxxxxxxxxxxxxxx

Applied to the ipsec tree, thanks Kevin!

Next message: Steffen Klassert: "Re: [PATCH v2 2/2] af_key: Use DIV_ROUND_UP() instead of open-coded equivalent"
Previous message: Steffen Klassert: "Re: [PATCH v2 0/2] af_key: Fix for sadb_key memcpy read overrun"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]