iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[ESP]: Ensure IV is in linear part of the skb to avoid BUG() due to OOB access

Browse Source 
ESP does not account for the IV size when calling pskb_may_pull() to
ensure everything it accesses directly is within the linear part of a
potential fragment. This results in a BUG() being triggered when the
both the IPv4 and IPv6 ESP stack is fed with an skb where the first
fragment ends between the end of the esp header and the end of the IV.

This bug was found by Dirk Nehring <dnehring@gmx.net> .

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Thomas Graf 2008-03-27 16:08:03 -07:00 committed by David S. Miller
parent 732c8bd590
commit 920fc941a9
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
net/ipv4/esp4.c
View File

@ -336,7 +336,7 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
struct scatterlist *asg; struct scatterlist *asg;
int err = -EINVAL; int err = -EINVAL;
if (!pskb_may_pull(skb, sizeof(*esph))) if (!pskb_may_pull(skb, sizeof(*esph) + crypto_aead_ivsize(aead)))
goto out; goto out;
if (elen <= 0) if (elen <= 0)

2
net/ipv6/esp6.c
View File

@ -282,7 +282,7 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
struct scatterlist *sg; struct scatterlist *sg;
struct scatterlist *asg; struct scatterlist *asg;
if (!pskb_may_pull(skb, sizeof(*esph))) { if (!pskb_may_pull(skb, sizeof(*esph) + crypto_aead_ivsize(aead))) {
ret = -EINVAL; ret = -EINVAL;
goto out; goto out;
} }