iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Herbert Xu 543aabb7d1 ipsec: Fix aborted xfrm policy dump crash 
commit 1137b5e2529a8f5ca8ee709288ecba3e68044df2 upstream.

An independent security researcher, Mohamed Ghannam, has reported
this vulnerability to Beyond Security's SecuriTeam Secure Disclosure
program.

The xfrm_dump_policy_done function expects xfrm_dump_policy to
have been called at least once or it will crash.  This can be
triggered if a dump fails because the target socket's receive
buffer is full.

This patch fixes it by using the cb->start mechanism to ensure that
the initialisation is always done regardless of the buffer situation.

Fixes: 12a169e7d8f4 ("ipsec: Put dumpers on the dump list")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-02 09:49:15 +01:00
..
6lowpan
6lowpan: ndisc: no overreact if no short address is available
2016-09-19 20:19:34 +02:00
9p
p9_client_readdir() fix
2017-05-03 08:36:38 -07:00
802
8021q
net: 8021q: Fix one possible panic caused by BUG_ON in free_netdev
2017-07-05 14:40:16 +02:00
appletalk
appletalk: use IS_ENABLED() instead of checking for built-in or module
2016-09-10 21:19:10 -07:00
atm
lec: use IS_ENABLED() instead of checking for built-in or module
2016-09-10 21:19:10 -07:00
ax25
ax25: Fix segfault after sock connection timeout
2017-02-04 09:47:09 +01:00
batman-adv
batman-adv: Check for alloc errors when preparing TT local data
2016-12-02 10:46:59 +01:00
bluetooth
Bluetooth: Properly check L2CAP config option output buffer length
2017-09-13 14:13:36 -07:00
bridge
bridge: netlink: register netdevice before executing changelink
2017-10-08 10:26:08 +02:00
caif
net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx
2017-07-05 14:40:14 +02:00
can
can: Fix kernel panic at security_sock_rcv_skb
2017-02-18 15:11:40 +01:00
ceph
libceph: force GFP_NOIO for socket allocations
2017-04-08 09:30:30 +02:00
core
Revert "socket, bpf: fix possible use after free"
2017-10-12 21:21:39 +02:00
dcb
net: dcb: set error code on failures
2016-12-03 23:54:25 -05:00
dccp
dccp: defer ccid_hc_tx_delete() at dismantle time
2017-08-30 10:21:39 +02:00
decnet
decnet: always not take dst->__refcnt when inserting dst into hash table
2017-07-05 14:40:16 +02:00
dns_resolver
KEYS: Fix race between updating and finding a negative key
2017-10-27 10:38:11 +02:00
dsa
net: dsa: Fix network device registration order
2017-10-12 11:51:22 +02:00
ethernet
net: introduce device min_header_len
2017-02-18 15:11:43 +01:00
hsr
net/hsr: Remove unused but set variable
2016-10-18 10:28:18 -04:00
ieee802154
Revert "net: fix percpu memory leaks"
2017-09-20 08:19:55 +02:00
ipv4
vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit
2017-10-12 11:51:22 +02:00
ipv6
ip6_tunnel: update mtu properly for ARPHRD_ETHER tunnel device in tx path
2017-10-12 11:51:23 +02:00
ipx
ipx: call ipxitf_put() in ioctl error path
2017-05-25 15:44:41 +02:00
irda
irda: do not leak initialized list.dev to userspace
2017-08-30 10:21:42 +02:00
iucv
net/af_iucv: don't use paged skbs for TX on HiperSockets
2017-01-19 20:18:04 +01:00
kcm
kcm: do not attach PF_KCM sockets to avoid deadlock
2017-09-20 08:19:55 +02:00
key
af_key: do not use GFP_KERNEL in atomic contexts
2017-08-30 10:21:38 +02:00
l2tp
l2tp: fix race condition in l2tp_tunnel_delete
2017-10-12 11:51:22 +02:00
l3mdev
net: ipv6: Remove l3mdev_get_saddr6
2016-09-10 23:12:53 -07:00
lapb
net/lapb: tuse %*ph to dump buffers
2016-05-29 22:33:25 -07:00
llc
net/llc: avoid BUG_ON() in skb_orphan()
2017-02-26 11:10:50 +01:00
mac80211
mac80211: fix power saving clients handling in iwlwifi
2017-10-21 17:21:34 +02:00
mac802154
mac802154: use rate limited warnings for malformed frames
2016-09-19 20:19:34 +02:00
mpls
mpls: Do not decrement alive counter for unregister events
2017-03-22 12:43:34 +01:00
ncsi
net/ncsi: Improve HNCDSC AEN handler
2016-10-20 11:23:08 -04:00
netfilter
netfilter: nf_ct_expect: Change __nf_ct_expect_check() return value.
2017-10-21 17:21:34 +02:00
netlabel
netlabel: Implement CALIPSO config functions for SMACK.
2016-06-27 15:06:18 -04:00
netlink
netlink: do not proceed if dump's start() errs
2017-10-12 11:51:23 +02:00
netrom
nfc
NFC: Add sockaddr length checks before accessing sa_family in bind handlers
2017-07-27 15:07:56 -07:00
openvswitch
openvswitch: fix skb_panic due to the incorrect actions attrlen
2017-08-30 10:21:40 +02:00
packet
packet: only test po->has_vnet_hdr once in packet_snd
2017-10-12 11:51:22 +02:00
phonet
qrtr
Merge tag 'qcom-soc-for-4.7-2' into net-next
2016-05-17 14:11:19 -04:00
rds
rds: ib: add error handle
2017-10-08 10:26:10 +02:00
rfkill
rose
rose: limit sk_filter trim to payload
2016-07-13 11:53:40 -07:00
rxrpc
rxrpc: Fix several cases where a padded len isn't checked in ticket decode
2017-06-29 13:00:31 +02:00
sched
net_sched: always reset qdisc backlog in qdisc_reset()
2017-10-12 11:51:22 +02:00
sctp
sctp: fix missing wake ups in some situations
2017-09-20 08:19:56 +02:00
strparser
strparser: destroy workqueue on module exit
2017-03-22 12:43:33 +01:00
sunrpc
NFSv4: Fix callback server shutdown
2017-09-27 14:39:18 +02:00
switchdev
switchdev: Execute bridge ndos only for bridge ports
2016-10-19 10:58:04 -04:00
tipc
tipc: use only positive error codes in messages
2017-10-12 11:51:23 +02:00
unix
af_unix: Add sockaddr length checks before accessing sa_family in bind and connect handlers
2017-07-05 14:40:14 +02:00
vmw_vsock
vsock/virtio: fix src/dst cid format
2017-01-09 08:32:23 +01:00
wimax
wireless
cfg80211: fix connect/disconnect edge cases
2017-11-02 09:49:15 +01:00
x25
net: x25: remove null checks on arrays calling_ae and called_ae
2016-09-09 18:13:30 -07:00
xfrm
ipsec: Fix aborted xfrm policy dump crash
2017-11-02 09:49:15 +01:00
compat.c
audit: log 32-bit socketcalls
2017-10-08 10:26:06 +02:00
Kconfig
strparser: Stream parser for messages
2016-08-17 19:36:23 -04:00
Makefile
strparser: Stream parser for messages
2016-08-17 19:36:23 -04:00
socket.c
net: socket: fix recvmmsg not returning error from sock_error
2017-02-26 11:10:51 +01:00
sysctl_net.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
2016-10-06 09:52:23 -07:00