xfrm: Fix xfrm_input() to verify state is valid when (encap_type < 0)

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Code path when (encap_type < 0) does not verify the state is valid
before progressing.

This will result in a crash if, for instance, x->km.state ==
XFRM_STATE_ACQ.

Fixes: 7785bba299a8 ("esp: Add a software GRO codepath")
Signed-off-by: Aviv Heller <avivh@mellanox.com>
Signed-off-by: Yevgeny Kliteynik <kliteyn@mellanox.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

authored by

Aviv Heller and committed by

Steffen Klassert 8 years ago 4ce3dbe3 e7191358

+11 -1

1 changed file

expand all

net

xfrm

xfrm_input.c

+11 -1

net/xfrm/xfrm_input.c

··· 207 207 xfrm_address_t *daddr; 208 208 struct xfrm_mode *inner_mode; 209 209 u32 mark = skb->mark; 210 - unsigned int family; 210 + unsigned int family = AF_UNSPEC; 211 211 int decaps = 0; 212 212 int async = 0; 213 213 bool xfrm_gro = false; ··· 216 216 217 217 if (encap_type < 0) { 218 218 x = xfrm_input_state(skb); 219 + 220 + if (unlikely(x->km.state != XFRM_STATE_VALID)) { 221 + if (x->km.state == XFRM_STATE_ACQ) 222 + XFRM_INC_STATS(net, LINUX_MIB_XFRMACQUIREERROR); 223 + else 224 + XFRM_INC_STATS(net, 225 + LINUX_MIB_XFRMINSTATEINVALID); 226 + goto drop; 227 + } 228 + 219 229 family = x->outer_mode->afinfo->family; 220 230 221 231 /* An encap_type of -1 indicates async resumption. */