Skip to content

L
linux
Commit 0f70407a authored by Thomas Walpuski's avatar Thomas Walpuski Committed by Sridhar Samudrala
Browse files
Options

[IPSEC]: Fix some buglets in xfrm_user.c

parent 285def0f
Hide whitespace changes
Inline Side-by-side
Showing with 7 additions and 5 deletions
net/ipv4/xfrm_user.c
View file @ 0f70407a
...@@ -276,9 +276,11 @@ static int dump_one_state(struct xfrm_state *x, int count, void *ptr) ...@@ -276,9 +276,11 @@ static int dump_one_state(struct xfrm_state *x, int count, void *ptr)
copy_to_user_state(x, p); copy_to_user_state(x, p);
if (x->aalg) if (x->aalg)
RTA_PUT(skb, XFRMA_ALG_AUTH, sizeof(*(x->aalg)), x->aalg); RTA_PUT(skb, XFRMA_ALG_AUTH,
sizeof(*(x->aalg))+(x->aalg->alg_key_len+7)/8, x->aalg);
if (x->ealg) if (x->ealg)
RTA_PUT(skb, XFRMA_ALG_CRYPT, sizeof(*(x->ealg)), x->ealg); RTA_PUT(skb, XFRMA_ALG_CRYPT,
sizeof(*(x->ealg))+(x->ealg->alg_key_len+7)/8, x->ealg);
if (x->calg) if (x->calg)
RTA_PUT(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg); RTA_PUT(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg);
...@@ -655,6 +657,7 @@ static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb) ...@@ -655,6 +657,7 @@ static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb)
info.in_skb = cb->skb; info.in_skb = cb->skb;
info.out_skb = skb; info.out_skb = skb;
info.nlmsg_seq = cb->nlh->nlmsg_seq; info.nlmsg_seq = cb->nlh->nlmsg_seq;
info.this_idx = 0;
info.start_idx = cb->args[0]; info.start_idx = cb->args[0];
(void) xfrm_policy_walk(dump_one_policy, &info); (void) xfrm_policy_walk(dump_one_policy, &info);
cb->args[0] = info.this_idx; cb->args[0] = info.this_idx;
...@@ -752,7 +755,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, int *err ...@@ -752,7 +755,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, int *err
{ {
struct rtattr *xfrma[XFRMA_MAX]; struct rtattr *xfrma[XFRMA_MAX];
struct xfrm_link *link; struct xfrm_link *link;
int type, min_len, kind; int type, min_len;
if (!(nlh->nlmsg_flags & NLM_F_REQUEST)) if (!(nlh->nlmsg_flags & NLM_F_REQUEST))
return 0; return 0;
...@@ -768,7 +771,6 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, int *err ...@@ -768,7 +771,6 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, int *err
goto err_einval; goto err_einval;
type -= XFRM_MSG_BASE; type -= XFRM_MSG_BASE;
kind = (type & 3);
link = &xfrm_dispatch[type]; link = &xfrm_dispatch[type];
/* All operations require privileges, even GET */ /* All operations require privileges, even GET */
...@@ -777,7 +779,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, int *err ...@@ -777,7 +779,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, int *err
return -1; return -1;
} }
if (kind == 2 && (nlh->nlmsg_flags & NLM_F_DUMP)) { if ((type == 2 || type == 5) && (nlh->nlmsg_flags & NLM_F_DUMP)) {
u32 rlen; u32 rlen;
if (link->dump == NULL) if (link->dump == NULL)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7