From 33f17703cceb1258958fb2049fc0b18b6cc8dea6 Mon Sep 17 00:00:00 2001 From: Suren Baghdasaryan Date: Tue, 15 Aug 2017 15:12:24 -0700 Subject: [PATCH] ANDROID: net: xfrm: check dir value of xfrm_userpolicy_id Check user provided dir value to prevent out-of-bound access which may occur if dir is not less than XFRM_POLICY_MAX. (url: http://seclists.org/bugtraq/2017/Jul/30) Bug: 64257838 Signed-off-by: Suren Baghdasaryan Change-Id: I5bbdf95e14a61bdf5207977d9a5a4465bc848da0 --- net/xfrm/xfrm_user.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index e44a0fed48dd..1429960cba21 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -1734,6 +1734,10 @@ static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb, struct sk_buff *skb; int err; + err = verify_policy_dir(dir); + if (err) + return ERR_PTR(err); + skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); if (!skb) return ERR_PTR(-ENOMEM); @@ -2255,6 +2259,10 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh, struct net *net = sock_net(skb->sk); struct xfrm_encap_tmpl *encap = NULL; + err = verify_policy_dir(pi->dir); + if (err) + return err; + if (attrs[XFRMA_MIGRATE] == NULL) return -EINVAL; @@ -2388,6 +2396,11 @@ static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, { struct net *net = &init_net; struct sk_buff *skb; + int err; + + err = verify_policy_dir(dir); + if (err) + return err; skb = nlmsg_new(xfrm_migrate_msgsize(num_migrate, !!k, !!encap), GFP_ATOMIC); @@ -3057,6 +3070,11 @@ out_free_skb: static int xfrm_send_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c) { + int err; + + err = verify_policy_dir(dir); + if (err) + return err; switch (c->event) { case XFRM_MSG_NEWPOLICY: -- 2.20.1