On 7/22/20 2:33 AM, Steffen Klassert wrote:
On Tue, Jul 21, 2020 at 06:23:54AM -0700, Mark Salyzyn wrote:
In pfkey_dump() dplen and splen can both be specified to access the
xfrm_address_t structure out of bounds in__xfrm_state_filter_match()
when it calls addr_match() with the indexes. Return EINVAL if either
are out of range.
Signed-off-by: Mark Salyzyn <saly...@android.com>
Cc: netdev@vger.kernel.org
Cc: linux-ker...@vger.kernel.org
Cc: kernel-t...@android.com
---
Should be back ported to the stable queues because this is a out of
bounds access.
Please do a v2 and add a proper 'Fixes' tag if this is a fix that
needs to be backported.
Thanks!
Confused because this code was never right? From 2008 there was a
rewrite that instantiated this fragment of code so that it could handle
continuations for overloaded receive queues, but it was not right before
the adjustment.
Fixes: 83321d6b9872b94604e481a79dc2c8acbe4ece31 ("[AF_KEY]: Dump SA/SP
entries non-atomically")
that is reaching back more than 12 years and the blame is poorly aimed
AFAIK.
Sincerely -- Mark Salyzyn
