Commit 13fcfbb0 authored by David S. Miller's avatar David S. Miller
Browse files

[XFRM]: Fix OOPSes in xfrm_audit_log(). 



Make sure that this function is called correctly, and
add BUG() checking to ensure the arguments are sane.

Based upon a patch by Joy Latten.

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 9121c777

net/key/af_key.c

+6 −5
Original line number Diff line number Diff line
@@ -2297,16 +2297,17 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, struct sadb_msg 
				   &sel, tmp.security, 1);

	security_xfrm_policy_free(&tmp);



	xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,

		       AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);



	if (xp == NULL)

		return -ENOENT;



	err = 0;

	err = security_xfrm_policy_delete(xp);



	if ((err = security_xfrm_policy_delete(xp)))

	xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,

		       AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);



	if (err)

		goto out;



	c.seq = hdr->sadb_msg_seq;

	c.pid = hdr->sadb_msg_pid;

	c.event = XFRM_MSG_DELPOLICY;

net/xfrm/xfrm_policy.c

+6 −1
Original line number Diff line number Diff line
@@ -1997,6 +1997,11 @@ void xfrm_audit_log(uid_t auid, u32 sid, int type, int result, 
	if (audit_enabled == 0)

		return;



	BUG_ON((type == AUDIT_MAC_IPSEC_ADDSA ||

		type == AUDIT_MAC_IPSEC_DELSA) && !x);

	BUG_ON((type == AUDIT_MAC_IPSEC_ADDSPD ||

		type == AUDIT_MAC_IPSEC_DELSPD) && !xp);



	audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type);

	if (audit_buf == NULL)

		return;

net/xfrm/xfrm_user.c

+7 −5
Original line number Diff line number Diff line
@@ -1273,10 +1273,6 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, 
		xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, delete);

		security_xfrm_policy_free(&tmp);

	}

	if (delete)

		xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,

			       AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);



	if (xp == NULL)

		return -ENOENT;
@@ -1292,8 +1288,14 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, 
					      MSG_DONTWAIT);

		}

	} else {

		if ((err = security_xfrm_policy_delete(xp)) != 0)

		err = security_xfrm_policy_delete(xp);



		xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,

			       AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);



		if (err != 0)

			goto out;



		c.data.byid = p->index;

		c.event = nlh->nlmsg_type;

		c.seq = nlh->nlmsg_seq;