iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Vladis Dronov 12a70ccaa6 xfrm: policy: check policy direction value 
commit 7bab09631c2a303f87a7eb7e3d69e888673b9b7e upstream.

The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used
as an array index. This can lead to an out-of-bound access, kernel lockup and
DoS. Add a check for the 'dir' value.

This fixes CVE-2017-11600.

References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928
Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")
Reported-by: "bo Zhang" <zhangbo5891001@gmail.com>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-09-07 08:35:40 +02:00
..
6lowpan
6lowpan: ndisc: no overreact if no short address is available
2016-09-19 20:19:34 +02:00
9p
p9_client_readdir() fix
2017-05-03 08:36:38 -07:00
802
8021q
net: 8021q: Fix one possible panic caused by BUG_ON in free_netdev
2017-07-05 14:40:16 +02:00
appletalk
appletalk: use IS_ENABLED() instead of checking for built-in or module
2016-09-10 21:19:10 -07:00
atm
lec: use IS_ENABLED() instead of checking for built-in or module
2016-09-10 21:19:10 -07:00
ax25
ax25: Fix segfault after sock connection timeout
2017-02-04 09:47:09 +01:00
batman-adv
batman-adv: Check for alloc errors when preparing TT local data
2016-12-02 10:46:59 +01:00
bluetooth
Bluetooth: bnep: fix possible might sleep error in bnep_session
2017-08-30 10:21:52 +02:00
bridge
bridge: mdb: fix leak on complete_info ptr on fail path
2017-07-21 07:42:17 +02:00
caif
net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx
2017-07-05 14:40:14 +02:00
can
can: Fix kernel panic at security_sock_rcv_skb
2017-02-18 15:11:40 +01:00
ceph
libceph: force GFP_NOIO for socket allocations
2017-04-08 09:30:30 +02:00
core
net: avoid skb_warn_bad_offload false positives on UFO
2017-08-12 19:31:22 -07:00
dcb
net: dcb: set error code on failures
2016-12-03 23:54:25 -05:00
dccp
dccp: defer ccid_hc_tx_delete() at dismantle time
2017-08-30 10:21:39 +02:00
decnet
decnet: always not take dst->__refcnt when inserting dst into hash table
2017-07-05 14:40:16 +02:00
dns_resolver
dsa
net: dsa: Check return value of phy_connect_direct()
2017-07-05 14:40:23 +02:00
ethernet
net: introduce device min_header_len
2017-02-18 15:11:43 +01:00
hsr
net/hsr: Remove unused but set variable
2016-10-18 10:28:18 -04:00
ieee802154
ieee802154: 6lowpan: fix intra pan id check
2016-07-08 13:23:12 +02:00
ipv4
tcp: when rearming RTO, if RTO time is in past then fire RTO ASAP
2017-08-30 10:21:42 +02:00
ipv6
ipv6: repair fib6 tree in failure case
2017-08-30 10:21:41 +02:00
ipx
ipx: call ipxitf_put() in ioctl error path
2017-05-25 15:44:41 +02:00
irda
irda: do not leak initialized list.dev to userspace
2017-08-30 10:21:42 +02:00
iucv
net/af_iucv: don't use paged skbs for TX on HiperSockets
2017-01-19 20:18:04 +01:00
kcm
kcm: return immediately after copy_from_user() failure
2017-05-03 08:36:34 -07:00
key
af_key: do not use GFP_KERNEL in atomic contexts
2017-08-30 10:21:38 +02:00
l2tp
l2tp: consider '::' as wildcard address in l2tp_ip6 socket lookup
2017-08-06 18:59:46 -07:00
l3mdev
net: ipv6: Remove l3mdev_get_saddr6
2016-09-10 23:12:53 -07:00
lapb
net/lapb: tuse %*ph to dump buffers
2016-05-29 22:33:25 -07:00
llc
net/llc: avoid BUG_ON() in skb_orphan()
2017-02-26 11:10:50 +01:00
mac80211
mac80211: initialize SMPS field in HT capabilities
2017-07-05 14:40:25 +02:00
mac802154
mac802154: use rate limited warnings for malformed frames
2016-09-19 20:19:34 +02:00
mpls
mpls: Do not decrement alive counter for unregister events
2017-03-22 12:43:34 +01:00
ncsi
net/ncsi: Improve HNCDSC AEN handler
2016-10-20 11:23:08 -04:00
netfilter
netfilter: nat: fix src map lookup
2017-08-30 10:21:51 +02:00
netlabel
netlabel: Implement CALIPSO config functions for SMACK.
2016-06-27 15:06:18 -04:00
netlink
netlink: Do not schedule work from sk_destruct
2016-12-05 19:43:42 -05:00
netrom
nfc
NFC: Add sockaddr length checks before accessing sa_family in bind handlers
2017-07-27 15:07:56 -07:00
openvswitch
openvswitch: fix skb_panic due to the incorrect actions attrlen
2017-08-30 10:21:40 +02:00
packet
packet: fix tp_reserve race in packet_set_ring
2017-08-12 19:31:22 -07:00
phonet
qrtr
rds
rds: tcp: use sock_create_lite() to create the accept socket
2017-07-21 07:42:19 +02:00
rfkill
rose
rose: limit sk_filter trim to payload
2016-07-13 11:53:40 -07:00
rxrpc
rxrpc: Fix several cases where a padded len isn't checked in ticket decode
2017-06-29 13:00:31 +02:00
sched
net: sched: fix NULL pointer dereference when action calls some targets
2017-08-30 10:21:42 +02:00
sctp
sctp: fully initialize the IPv6 address in sctp_v6_to_addr()
2017-08-30 10:21:41 +02:00
strparser
strparser: destroy workqueue on module exit
2017-03-22 12:43:33 +01:00
sunrpc
net: sunrpc: svcsock: fix NULL-pointer exception
2017-08-30 10:21:51 +02:00
switchdev
switchdev: Execute bridge ndos only for bridge ports
2016-10-19 10:58:04 -04:00
tipc
tipc: fix use-after-free
2017-08-30 10:21:41 +02:00
unix
af_unix: Add sockaddr length checks before accessing sa_family in bind and connect handlers
2017-07-05 14:40:14 +02:00
vmw_vsock
vsock/virtio: fix src/dst cid format
2017-01-09 08:32:23 +01:00
wimax
wireless
cfg80211: Check if NAN service ID is of expected size
2017-07-21 07:42:20 +02:00
x25
net: x25: remove null checks on arrays calling_ae and called_ae
2016-09-09 18:13:30 -07:00
xfrm
xfrm: policy: check policy direction value
2017-09-07 08:35:40 +02:00
compat.c
packet: compat support for sock_fprog
2016-06-09 23:41:03 -07:00
Kconfig
strparser: Stream parser for messages
2016-08-17 19:36:23 -04:00
Makefile
strparser: Stream parser for messages
2016-08-17 19:36:23 -04:00
socket.c
net: socket: fix recvmmsg not returning error from sock_error
2017-02-26 11:10:51 +01:00
sysctl_net.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
2016-10-06 09:52:23 -07:00