Re: [PATCH] net: xfrm: Fix potential oops in xfrm_user_rcv_msg and array out of bounds

On 2019/3/5 15:31, Steffen Klassert wrote: On Tue, Mar 05, 2019 at 03:08:49PM +0800, Su Yanjun wrote: On 2019/3/5 14:49, Herbert Xu wrote: On Sun, Mar 03, 2019 at 10:47:39PM -0500, Su Yanjun wrote: When i review xfrm_user.c code, i found some potentical bug in it. In xfrm_user_rcvmsg if

Re: [PATCH] net: xfrm: Fix potential oops in xfrm_user_rcv_msg and array out of bounds

On Tue, Mar 05, 2019 at 03:08:49PM +0800, Su Yanjun wrote: > On 2019/3/5 14:49, Herbert Xu wrote: > > > On Sun, Mar 03, 2019 at 10:47:39PM -0500, Su Yanjun wrote: > > > When i review xfrm_user.c code, i found some potentical bug in it. > > > > > > In xfrm_user_rcvmsg if type parameter from user

Re: [PATCH] net: xfrm: Fix potential oops in xfrm_user_rcv_msg and array out of bounds

On Sun, Mar 03, 2019 at 10:47:39PM -0500, Su Yanjun wrote: > When i review xfrm_user.c code, i found some potentical bug in it. > > In xfrm_user_rcvmsg if type parameter from user space is set to > XFRM_MSG_MAX or XFRM_MSG_NEWSADINFO or XFRM_MSG_NEWSPDINFO. It will cause > xfrm_user_rcv_msg refe

[PATCH] net: xfrm: Fix potential oops in xfrm_user_rcv_msg and array out of bounds

When i review xfrm_user.c code, i found some potentical bug in it. In xfrm_user_rcvmsg if type parameter from user space is set to XFRM_MSG_MAX or XFRM_MSG_NEWSADINFO or XFRM_MSG_NEWSPDINFO. It will cause xfrm_user_rcv_msg referring to null entry in xfrm_dispatch array. Signed-off-by: Su Yanjun