aboutsummaryrefslogtreecommitdiff
path: root/net/key/af_key.c
Commit message (Collapse)AuthorAgeFilesLines
* xfrm: Oops on error in pfkey_msg2xfrm_state()Dan Carpenter2017-11-061-4/+12
| | | | | | | | | | | | commit 1e3d0c2c70cd3edb5deed186c5f5c75f2b84a633 upstream. There are some missing error codes here so we accidentally return NULL instead of an error pointer. It results in a NULL pointer dereference. Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Willy Tarreau <w@1wt.eu>
* xfrm: NULL dereference on allocation failureDan Carpenter2017-11-061-0/+1
| | | | | | | | | | | | | | | commit e747f64336fc15e1c823344942923195b800aa1e upstream. The default error code in pfkey_msg2xfrm_state() is -ENOBUFS. We added a new call to security_xfrm_state_alloc() which sets "err" to zero so there several places where we can return ERR_PTR(0) if kmalloc() fails. The caller is expecting error pointers so it leads to a NULL dereference. Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Willy Tarreau <w@1wt.eu>
* af_key: Add lock to key dumpYuejie Shi2017-08-311-7/+35
| | | | | | | | | | | | | | | | commit 89e357d83c06b6fac581c3ca7f0ee3ae7e67109e upstream. A dump may come in the middle of another dump, modifying its dump structure members. This race condition will result in NULL pointer dereference in kernel. So add a lock to prevent that race. Fixes: 83321d6b9872 ("[AF_KEY]: Dump SA/SP entries non-atomically") Signed-off-by: Yuejie Shi <syjcnss@gmail.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> [bwh: Backported to 3.2: - pfkey_dump() doesn't support filters - Adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
* UPSTREAM: af_key: Fix sadb_x_ipsecrequest parsingHerbert Xu2017-08-031-21/+26
| | | | | | | | | | | | | | | | | | | | | | | | (cherry picked from commit 096f41d3a8fcbb8dde7f71379b1ca85fe213eded) The parsing of sadb_x_ipsecrequest is broken in a number of ways. First of all we're not verifying sadb_x_ipsecrequest_len. This is needed when the structure carries addresses at the end. Worse we don't even look at the length when we parse those optional addresses. The migration code had similar parsing code that's better but it also has some deficiencies. The length is overcounted first of all as it includes the header itself. It also fails to check the length before dereferencing the sa_family field. This patch fixes those problems in parse_sockaddr_pair and then uses it in parse_ipsecrequest. Reported-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Bug: 63963140 Change-Id: Ie8854131293bc8153bfb8cb255161ec8f03667f9
* first commitMeizu OpenSource2016-08-151-0/+3852
generated by cgit v1.2.3 (git 2.39.1) at 2026-03-14 09:13:48 +0000