Commit 5fc43ce0 authored by David S. Miller's avatar David S. Miller
Browse files

Merge tag 'ipsec-2023-08-15' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 

Steffen Klassert says:

====================
1) Fix a slab-out-of-bounds read in xfrm_address_filter.
   From Lin Ma.

2) Fix the pfkey sadb_x_filter validation.
   From Lin Ma.

3) Use the correct nla_policy structure for XFRMA_SEC_CTX.
   From Lin Ma.

4) Fix warnings triggerable by bad packets in the encap functions.
   From Herbert Xu.

5) Fix some slab-use-after-free in decode_session6.
   From Zhengchao Shao.

6) Fix a possible NULL piointer dereference in xfrm_update_ae_params.
   Lin Ma.

7) Add a forgotten nla_policy for XFRMA_MTIMER_THRESH.
   From Lin Ma.

8) Don't leak offloaded policies.
   From Leon Romanovsky.

9) Delete also the offloading part of an acquire state.
   From Leon Romanovsky.

Please pull or let me know if there are problems.
parents 9944d203 f3ec2b5d

include/net/xfrm.h

+1 −0
Original line number Diff line number Diff line
@@ -1984,6 +1984,7 @@ static inline void xfrm_dev_state_free(struct xfrm_state *x) 
		if (dev->xfrmdev_ops->xdo_dev_state_free)

			dev->xfrmdev_ops->xdo_dev_state_free(x);

		xso->dev = NULL;

		xso->type = XFRM_DEV_OFFLOAD_UNSPECIFIED;

		netdev_put(dev, &xso->dev_tracker);

	}

}

net/ipv4/ip_vti.c

+2 −2
Original line number Diff line number Diff line
@@ -287,12 +287,12 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev) 


	switch (skb->protocol) {

	case htons(ETH_P_IP):

		xfrm_decode_session(skb, &fl, AF_INET);

		memset(IPCB(skb), 0, sizeof(*IPCB(skb)));

		xfrm_decode_session(skb, &fl, AF_INET);

		break;

	case htons(ETH_P_IPV6):

		xfrm_decode_session(skb, &fl, AF_INET6);

		memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));

		xfrm_decode_session(skb, &fl, AF_INET6);

		break;

	default:

		goto tx_err;

net/ipv6/ip6_vti.c

+2 −2
Original line number Diff line number Diff line
@@ -568,12 +568,12 @@ vti6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) 
		    vti6_addr_conflict(t, ipv6_hdr(skb)))

			goto tx_err;



		xfrm_decode_session(skb, &fl, AF_INET6);

		memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));

		xfrm_decode_session(skb, &fl, AF_INET6);

		break;

	case htons(ETH_P_IP):

		xfrm_decode_session(skb, &fl, AF_INET);

		memset(IPCB(skb), 0, sizeof(*IPCB(skb)));

		xfrm_decode_session(skb, &fl, AF_INET);

		break;

	default:

		goto tx_err;

net/key/af_key.c

+2 −2
Original line number Diff line number Diff line
@@ -1848,9 +1848,9 @@ static int pfkey_dump(struct sock *sk, struct sk_buff *skb, const struct sadb_ms 
	if (ext_hdrs[SADB_X_EXT_FILTER - 1]) {

		struct sadb_x_filter *xfilter = ext_hdrs[SADB_X_EXT_FILTER - 1];



		if ((xfilter->sadb_x_filter_splen >=

		if ((xfilter->sadb_x_filter_splen >

			(sizeof(xfrm_address_t) << 3)) ||

		    (xfilter->sadb_x_filter_dplen >=

		    (xfilter->sadb_x_filter_dplen >

			(sizeof(xfrm_address_t) << 3))) {

			mutex_unlock(&pfk->dump_lock);

			return -EINVAL;

net/xfrm/xfrm_compat.c

+1 −1
Original line number Diff line number Diff line
@@ -108,7 +108,7 @@ static const struct nla_policy compat_policy[XFRMA_MAX+1] = { 
	[XFRMA_ALG_COMP]	= { .len = sizeof(struct xfrm_algo) },

	[XFRMA_ENCAP]		= { .len = sizeof(struct xfrm_encap_tmpl) },

	[XFRMA_TMPL]		= { .len = sizeof(struct xfrm_user_tmpl) },

	[XFRMA_SEC_CTX]		= { .len = sizeof(struct xfrm_sec_ctx) },

	[XFRMA_SEC_CTX]		= { .len = sizeof(struct xfrm_user_sec_ctx) },

	[XFRMA_LTIME_VAL]	= { .len = sizeof(struct xfrm_lifetime_cur) },

	[XFRMA_REPLAY_VAL]	= { .len = sizeof(struct xfrm_replay_state) },

	[XFRMA_REPLAY_THRESH]	= { .type = NLA_U32 },