xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies.

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

On policies with a transport mode template, we pass the addresses
from the flowi to xfrm_state_find(), assuming that the IP addresses
(and address family) don't change during transformation.

Unfortunately our policy template validation is not strict enough.
It is possible to configure policies with transport mode template
where the address family of the template does not match the selectors
address family. This lead to stack-out-of-bound reads because
we compare arddesses of the wrong family. Fix this by refusing
such a configuration, address family can not change on transport
mode.

We use the assumption that, on transport mode, the first templates
address family must match the address family of the policy selector.
Subsequent transport mode templates must mach the address family of
the previous template.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

Steffen Klassert 8 years ago 732706af 75bf50f4

1 changed file

expand all

net

xfrm

xfrm_user.c

net/xfrm/xfrm_user.c

··· 1419 1419 1420 1420 static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) 1421 1421 { 1422 + u16 prev_family; 1422 1423 int i; 1423 1424 1424 1425 if (nr > XFRM_MAX_DEPTH) 1425 1426 return -EINVAL; 1427 + 1428 + prev_family = family; 1426 1429 1427 1430 for (i = 0; i < nr; i++) { 1428 1431 /* We never validated the ut->family value, so many ··· 1437 1434 */ 1438 1435 if (!ut[i].family) 1439 1436 ut[i].family = family; 1437 + 1438 + if ((ut[i].mode == XFRM_MODE_TRANSPORT) && 1439 + (ut[i].family != prev_family)) 1440 + return -EINVAL; 1441 + 1442 + prev_family = ut[i].family; 1440 1443 1441 1444 switch (ut[i].family) { 1442 1445 case AF_INET: