Skip to content

Commit 3f0ab59

Browse files
qsnklassert
authored andcommitted
xfrm: validate new SA's prefixlen using SA family when sel.family is unset
This expands the validation introduced in commit 07bf790 ("xfrm: Validate address prefix lengths in the xfrm selector.") syzbot created an SA with usersa.sel.family = AF_UNSPEC usersa.sel.prefixlen_s = 128 usersa.family = AF_INET Because of the AF_UNSPEC selector, verify_newsa_info doesn't put limits on prefixlen_{s,d}. But then copy_from_user_state sets x->sel.family to usersa.family (AF_INET). Do the same conversion in verify_newsa_info before validating prefixlen_{s,d}, since that's how prefixlen is going to be used later on. Reported-by: [email protected] Fixes: 1da177e ("Linux-2.6.12-rc2") Signed-off-by: Sabrina Dubroca <[email protected]> Signed-off-by: Steffen Klassert <[email protected]>
1 parent 645546a commit 3f0ab59

File tree

1 file changed

+5
-1
lines changed

1 file changed

+5
-1
lines changed

net/xfrm/xfrm_user.c

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -201,6 +201,7 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
201201
{
202202
int err;
203203
u8 sa_dir = attrs[XFRMA_SA_DIR] ? nla_get_u8(attrs[XFRMA_SA_DIR]) : 0;
204+
u16 family = p->sel.family;
204205

205206
err = -EINVAL;
206207
switch (p->family) {
@@ -221,7 +222,10 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
221222
goto out;
222223
}
223224

224-
switch (p->sel.family) {
225+
if (!family && !(p->flags & XFRM_STATE_AF_UNSPEC))
226+
family = p->family;
227+
228+
switch (family) {
225229
case AF_UNSPEC:
226230
break;
227231

0 commit comments

Comments
 (0)