iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Eric Biggers b78f2d36e7 af_key: fix buffer overread in parse_exthdrs() 
commit 4e765b4972af7b07adcb1feb16e7a525ce1f6b28 upstream.

If a message sent to a PF_KEY socket ended with an incomplete extension
header (fewer than 4 bytes remaining), then parse_exthdrs() read past
the end of the message, into uninitialized memory.  Fix it by returning
-EINVAL in this case.

Reproducer:

	#include <linux/pfkeyv2.h>
	#include <sys/socket.h>
	#include <unistd.h>

	int main()
	{
		int sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
		char buf[17] = { 0 };
		struct sadb_msg *msg = (void *)buf;

		msg->sadb_msg_version = PF_KEY_V2;
		msg->sadb_msg_type = SADB_DELETE;
		msg->sadb_msg_len = 2;

		write(sock, buf, 17);
	}

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-01-23 19:50:14 +01:00
..
6lowpan
6lowpan: put mcast compression in an own function
2015-10-21 00:49:25 +02:00
9p
net/9p: Switch to wait_event_killable()
2017-11-30 08:37:25 +00:00
802
8021q
8021q: fix a memory leak for VLAN 0 device
2018-01-17 09:35:29 +01:00
appletalk
atm
atm: deal with setting entry before mkip was called
2015-09-17 22:13:32 -07:00
ax25
ax25: Fix segfault after sock connection timeout
2017-02-04 09:45:09 +01:00
batman-adv
batman-adv: Check for alloc errors when preparing TT local data
2016-12-15 08:49:23 -08:00
bluetooth
Bluetooth: Prevent stack info leak from the EFS element.
2018-01-17 09:35:32 +01:00
bridge
net: bridge: fix early call to br_stp_change_bridge_id and plug newlink leaks
2018-01-02 20:33:26 +01:00
caif
net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx
2017-07-05 14:37:14 +02:00
can
can: Fix kernel panic at security_sock_rcv_skb
2017-02-18 16:39:26 +01:00
ceph
libceph: force GFP_NOIO for socket allocations
2017-04-08 09:53:30 +02:00
core
net: core: fix module type in sock_diag_bind
2018-01-17 09:35:29 +01:00
dcb
net/dcb: make dcbnl.c explicitly non-modular
2015-10-09 07:52:27 -07:00
dccp
tcp/dccp: fix other lockdep splats accessing ireq_opt
2017-11-18 11:11:07 +01:00
decnet
decnet: always not take dst->__refcnt when inserting dst into hash table
2017-07-05 14:37:14 +02:00
dns_resolver
KEYS: Fix race between updating and finding a negative key
2017-10-27 10:23:18 +02:00
dsa
net: dsa: select NET_SWITCHDEV
2017-11-15 17:13:11 +01:00
ethernet
net: introduce device min_header_len
2017-02-18 16:39:27 +01:00
hsr
net/hsr: fix a warning message
2015-11-23 14:56:15 -05:00
ieee802154
Revert "net: fix percpu memory leaks"
2017-09-27 11:00:11 +02:00
ipv4
ipv4: Fix use-after-free when flushing FIB tables
2018-01-02 20:33:26 +01:00
ipv6
ipv6: fix possible mem leaks in ipv6_make_skb()
2018-01-17 09:35:30 +01:00
ipx
ipx: call ipxitf_put() in ioctl error path
2017-05-25 14:30:13 +02:00
irda
irda: do not leak initialized list.dev to userspace
2017-08-30 10:19:21 +02:00
iucv
af_iucv: Validate socket address length in iucv_sock_bind()
2016-03-03 15:07:03 -08:00
key
af_key: fix buffer overread in parse_exthdrs()
2018-01-23 19:50:14 +01:00
l2tp
l2tp: cleanup l2tp_tunnel_delete calls
2017-12-20 10:04:59 +01:00
l3mdev
net: Add netif_is_l3_slave
2015-10-07 04:27:43 -07:00
lapb
llc
net/llc: avoid BUG_ON() in skb_orphan()
2017-02-26 11:07:49 +01:00
mac80211
net/mac80211/debugfs.c: prevent build failure with CONFIG_UBSAN=y
2018-01-17 09:35:25 +01:00
mac802154
mac802154: llsec: use kzfree
2015-10-21 00:49:24 +02:00
mpls
mpls: Send route delete notifications when router module is unloaded
2017-03-22 12:04:16 +01:00
netfilter
netfilter: nfnetlink_queue: fix secctx memory leak
2017-12-25 14:22:13 +01:00
netlabel
netlabel: add address family checks to netlbl_{sock,req}_delattr()
2016-08-20 18:09:22 +02:00
netlink
netlink: Add netns check on taps
2018-01-02 20:33:24 +01:00
netrom
nfc
NFC: fix device-allocation error return
2017-11-30 08:37:23 +00:00
openvswitch
openvswitch: fix potential out of bound access in parse_ct
2017-08-11 09:08:53 -07:00
packet
net/packet: fix a race in packet_bind() and packet_notifier()
2017-12-16 10:33:56 +01:00
phonet
phonet: properly unshare skbs in phonet_rcv()
2016-01-31 11:29:00 -08:00
rds
RDS: null pointer dereference in rds_atomic_free_op
2018-01-17 09:35:29 +01:00
rfkill
rfkill: fix rfkill_fop_read wait_event usage
2016-03-03 15:07:26 -08:00
rose
rxrpc
rxrpc: Fix several cases where a padded len isn't checked in ticket decode
2017-06-29 12:48:52 +02:00
sched
sch_dsmark: fix invalid skb_cow() usage
2017-12-25 14:22:10 +01:00
sctp
sctp: Replace use of sockets_allocated with specified macro.
2018-01-02 20:33:25 +01:00
sunrpc
kernel: make groups_sort calling a responsibility group_info allocators
2018-01-10 09:27:10 +01:00
switchdev
switchdev: pass pointer to fib_info instead of copy
2016-06-24 10:18:16 -07:00
tipc
tipc: fix memory leak in tipc_accept_from_sock()
2017-12-16 10:33:56 +01:00
unix
net/unix: don't show information about sockets from other namespaces
2017-11-18 11:11:06 +01:00
vmw_vsock
vsock: use new wait API for vsock_stream_sendmsg()
2017-11-30 08:37:19 +00:00
wimax
net:wimax: Fix doucble word "the the" in networking.xml
2015-08-09 22:43:52 -07:00
wireless
nl80211: Define policy for packet pattern attributes
2017-10-18 09:20:41 +02:00
x25
net: fix a kernel infoleak in x25 module
2016-05-18 17:06:43 -07:00
xfrm
xfrm: Copy policy family in clone_policy
2017-12-16 10:33:55 +01:00
compat.c
audit: log 32-bit socketcalls
2017-10-08 10:14:18 +02:00
Kconfig
net: Introduce L3 Master device abstraction
2015-09-29 20:40:32 -07:00
Makefile
net: Introduce L3 Master device abstraction
2015-09-29 20:40:32 -07:00
socket.c
net: initialize msg.msg_flags in recvfrom
2017-12-20 10:04:53 +01:00
sysctl_net.c
net: Use ns_capable_noaudit() when determining net sysctl permissions
2016-09-15 08:27:50 +02:00