• Kevin Easton's avatar
    af_key: Always verify length of provided sadb_key · 702b477d
    Kevin Easton authored
    commit 4b66af2d upstream.
    
    Key extensions (struct sadb_key) include a user-specified number of key
    bits.  The kernel uses that number to determine how much key data to copy
    out of the message in pfkey_msg2xfrm_state().
    
    The length of the sadb_key message must be verified to be long enough,
    even in the case of SADB_X_AALG_NULL.  Furthermore, the sadb_key_len value
    must be long enough to include both the key data and the struct sadb_key
    itself.
    
    Introduce a helper function verify_key_len(), and call it from
    parse_exthdrs() where other exthdr types are similarly checked for
    correctness.
    Signed-off-by: default avatarKevin Easton <kevin@guarana.org>
    Reported-by: syzbot+5022a34ca5a3d49b84223653fab632dfb7b4cf37@syzkaller.appspotmail.com
    Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
    Cc: Zubin Mithra <zsm@chromium.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    702b477d
af_key.c 103 KB