diff options
Diffstat (limited to 'libre/linux-libre/0003-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch')
-rw-r--r-- | libre/linux-libre/0003-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch | 48 |
1 files changed, 0 insertions, 48 deletions
diff --git a/libre/linux-libre/0003-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch b/libre/linux-libre/0003-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch deleted file mode 100644 index 3ccb5289b..000000000 --- a/libre/linux-libre/0003-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch +++ /dev/null @@ -1,48 +0,0 @@ -From c9c8995fc83b476fdf3fc0c4b498feef2949ec75 Mon Sep 17 00:00:00 2001 -Message-Id: <c9c8995fc83b476fdf3fc0c4b498feef2949ec75.1516188238.git.jan.steffens@gmail.com> -In-Reply-To: <4e54373158caa50df5402fdd3db1794c5394026b.1516188238.git.jan.steffens@gmail.com> -References: <4e54373158caa50df5402fdd3db1794c5394026b.1516188238.git.jan.steffens@gmail.com> -From: Steffen Klassert <steffen.klassert@secunet.com> -Date: Fri, 22 Dec 2017 10:44:57 +0100 -Subject: [PATCH 3/4] xfrm: Fix stack-out-of-bounds read on socket policy - lookup. - -When we do tunnel or beet mode, we pass saddr and daddr from the -template to xfrm_state_find(), this is ok. On transport mode, -we pass the addresses from the flowi, assuming that the IP -addresses (and address family) don't change during transformation. -This assumption is wrong in the IPv4 mapped IPv6 case, packet -is IPv4 and template is IPv6. - -Fix this by catching address family missmatches of the policy -and the flow already before we do the lookup. - -Reported-by: syzbot <syzkaller@googlegroups.com> -Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> ---- - net/xfrm/xfrm_policy.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c -index 6bc16bb61b55..50c5f46b5cca 100644 ---- a/net/xfrm/xfrm_policy.c -+++ b/net/xfrm/xfrm_policy.c -@@ -1169,9 +1169,15 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir, - again: - pol = rcu_dereference(sk->sk_policy[dir]); - if (pol != NULL) { -- bool match = xfrm_selector_match(&pol->selector, fl, family); -+ bool match; - int err = 0; - -+ if (pol->family != family) { -+ pol = NULL; -+ goto out; -+ } -+ -+ match = xfrm_selector_match(&pol->selector, fl, family); - if (match) { - if ((sk->sk_mark & pol->mark.m) != pol->mark.v) { - pol = NULL; --- -2.15.1 |