ANDROID: net: xfrm: check dir value of xfrm_userpolicy_id

Check user provided dir value to prevent out-of-bound access
which may occur if dir is not less than XFRM_POLICY_MAX.

(url: http://seclists.org/bugtraq/2017/Jul/30)

Bug: 64257838
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I5bbdf95e14a61bdf5207977d9a5a4465bc848da0

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index e44a0fed48dd088ac95a0726a5f2b58b0f07c5bb..1429960cba214b1e38ac2bf7ca2f244b1c510651 100644 (file)
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1734,6 +1734,10 @@ static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb,
        struct sk_buff *skb;
        int err;
 
+       err = verify_policy_dir(dir);
+       if (err)
+               return ERR_PTR(err);
+
        skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
        if (!skb)
                return ERR_PTR(-ENOMEM);
@@ -2255,6 +2259,10 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh,
        struct net *net = sock_net(skb->sk);
        struct xfrm_encap_tmpl  *encap = NULL;
 
+       err = verify_policy_dir(pi->dir);
+       if (err)
+               return err;
+
        if (attrs[XFRMA_MIGRATE] == NULL)
                return -EINVAL;
 
@@ -2388,6 +2396,11 @@ static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
 {
        struct net *net = &init_net;
        struct sk_buff *skb;
+       int err;
+
+       err = verify_policy_dir(dir);
+       if (err)
+               return err;
 
        skb = nlmsg_new(xfrm_migrate_msgsize(num_migrate, !!k, !!encap),
                        GFP_ATOMIC);
@@ -3057,6 +3070,11 @@ out_free_skb:
 
 static int xfrm_send_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c)
 {
+       int err;
+
+       err = verify_policy_dir(dir);
+       if (err)
+               return err;
 
        switch (c->event) {
        case XFRM_MSG_NEWPOLICY: