iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Vladis Dronov 9b3dcc98d8 xfrm: policy: check policy direction value 
commit 7bab09631c2a303f87a7eb7e3d69e888673b9b7e upstream.

The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used
as an array index. This can lead to an out-of-bound access, kernel lockup and
DoS. Add a check for the 'dir' value.

This fixes CVE-2017-11600.

References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928
Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")
Reported-by: "bo Zhang" <zhangbo5891001@gmail.com>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-09-07 08:34:09 +02:00
..
6lowpan
6lowpan: put mcast compression in an own function
2015-10-21 00:49:25 +02:00
9p
p9_client_readdir() fix
2017-05-02 21:19:55 -07:00
802
8021q
vlan: Propagate MAC address to VLANs
2017-08-06 19:19:43 -07:00
appletalk
atm
atm: deal with setting entry before mkip was called
2015-09-17 22:13:32 -07:00
ax25
ax25: Fix segfault after sock connection timeout
2017-02-04 09:45:09 +01:00
batman-adv
batman-adv: Check for alloc errors when preparing TT local data
2016-12-15 08:49:23 -08:00
bluetooth
Bluetooth: bnep: fix possible might sleep error in bnep_session
2017-08-30 10:19:26 +02:00
bridge
net: bridge: start hello timer only if device is up
2017-06-14 13:16:19 +02:00
caif
net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx
2017-07-05 14:37:14 +02:00
can
can: Fix kernel panic at security_sock_rcv_skb
2017-02-18 16:39:26 +01:00
ceph
libceph: force GFP_NOIO for socket allocations
2017-04-08 09:53:30 +02:00
core
net: avoid skb_warn_bad_offload false positives on UFO
2017-08-12 19:29:08 -07:00
dcb
net/dcb: make dcbnl.c explicitly non-modular
2015-10-09 07:52:27 -07:00
dccp
dccp: defer ccid_hc_tx_delete() at dismantle time
2017-08-30 10:19:18 +02:00
decnet
decnet: always not take dst->__refcnt when inserting dst into hash table
2017-07-05 14:37:14 +02:00
dns_resolver
net: dns_resolver: convert time_t to time64_t
2015-11-18 16:27:46 -05:00
dsa
net: dsa: Check return value of phy_connect_direct()
2017-07-05 14:37:19 +02:00
ethernet
net: introduce device min_header_len
2017-02-18 16:39:27 +01:00
hsr
net/hsr: fix a warning message
2015-11-23 14:56:15 -05:00
ieee802154
net: fix percpu memory leaks
2015-11-02 22:47:14 -05:00
ipv4
tcp: when rearming RTO, if RTO time is in past then fire RTO ASAP
2017-08-30 10:19:21 +02:00
ipv6
ipv6: repair fib6 tree in failure case
2017-08-30 10:19:20 +02:00
ipx
ipx: call ipxitf_put() in ioctl error path
2017-05-25 14:30:13 +02:00
irda
irda: do not leak initialized list.dev to userspace
2017-08-30 10:19:21 +02:00
iucv
af_iucv: Validate socket address length in iucv_sock_bind()
2016-03-03 15:07:03 -08:00
key
af_key: do not use GFP_KERNEL in atomic contexts
2017-08-30 10:19:18 +02:00
l2tp
l2tp: fix PPP pseudo-wire auto-loading
2017-05-02 21:19:52 -07:00
l3mdev
net: Add netif_is_l3_slave
2015-10-07 04:27:43 -07:00
lapb
llc
net/llc: avoid BUG_ON() in skb_orphan()
2017-02-26 11:07:49 +01:00
mac80211
mac80211: initialize SMPS field in HT capabilities
2017-07-05 14:37:20 +02:00
mac802154
mac802154: llsec: use kzfree
2015-10-21 00:49:24 +02:00
mpls
mpls: Send route delete notifications when router module is unloaded
2017-03-22 12:04:16 +01:00
netfilter
netfilter: nf_ct_ext: fix possible panic after nf_ct_extend_unregister
2017-08-24 17:02:34 -07:00
netlabel
netlabel: add address family checks to netlbl_{sock,req}_delattr()
2016-08-20 18:09:22 +02:00
netlink
netlink: Allow direct reclaim for fallback allocation
2017-05-08 07:46:02 +02:00
netrom
nfc
NFC: Add sockaddr length checks before accessing sa_family in bind handlers
2017-07-27 15:06:03 -07:00
openvswitch
openvswitch: fix potential out of bound access in parse_ct
2017-08-11 09:08:53 -07:00
packet
packet: fix tp_reserve race in packet_set_ring
2017-08-12 19:29:08 -07:00
phonet
phonet: properly unshare skbs in phonet_rcv()
2016-01-31 11:29:00 -08:00
rds
rds: tcp: use sock_create_lite() to create the accept socket
2017-07-21 07:44:55 +02:00
rfkill
rfkill: fix rfkill_fop_read wait_event usage
2016-03-03 15:07:26 -08:00
rose
rxrpc
rxrpc: Fix several cases where a padded len isn't checked in ticket decode
2017-06-29 12:48:52 +02:00
sched
net: sched: fix NULL pointer dereference when action calls some targets
2017-08-30 10:19:21 +02:00
sctp
sctp: fully initialize the IPv6 address in sctp_v6_to_addr()
2017-08-30 10:19:19 +02:00
sunrpc
SUNRPC: fix refcounting problems with auth_gss messages.
2017-04-21 09:30:08 +02:00
switchdev
switchdev: pass pointer to fib_info instead of copy
2016-06-24 10:18:16 -07:00
tipc
tipc: fix use-after-free
2017-08-30 10:19:20 +02:00
unix
af_unix: Add sockaddr length checks before accessing sa_family in bind and connect handlers
2017-07-05 14:37:13 +02:00
vmw_vsock
VSOCK: Detach QP check should filter out non matching QPs.
2017-04-27 09:09:32 +02:00
wimax
net:wimax: Fix doucble word "the the" in networking.xml
2015-08-09 22:43:52 -07:00
wireless
cfg80211: Check if PMKID attribute is of expected size
2017-07-21 07:44:56 +02:00
x25
net: fix a kernel infoleak in x25 module
2016-05-18 17:06:43 -07:00
xfrm
xfrm: policy: check policy direction value
2017-09-07 08:34:09 +02:00
compat.c
Kconfig
net: Introduce L3 Master device abstraction
2015-09-29 20:40:32 -07:00
Makefile
net: Introduce L3 Master device abstraction
2015-09-29 20:40:32 -07:00
socket.c
net: socket: fix recvmmsg not returning error from sock_error
2017-02-26 11:07:50 +01:00
sysctl_net.c
net: Use ns_capable_noaudit() when determining net sysctl permissions
2016-09-15 08:27:50 +02:00