ipsec: Fix aborted xfrm policy dump crash - kernel/linux.git

diff options

author	Herbert Xu <herbert@gondor.apana.org.au>	2017-10-19 15:51:10 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-12-05 13:20:46 +0300
commit	8586e18413441d265f0ff536378d6ef358d18853 (patch)
tree	bf90d4a64de2636e8f67dbda69c080a65b239290 /mm
parent	142afbc6b2f33832f332ce5b561aa817edfff0b4 (diff)
download	linux-8586e18413441d265f0ff536378d6ef358d18853.tar.xz

ipsec: Fix aborted xfrm policy dump crash

commit 1137b5e2529a8f5ca8ee709288ecba3e68044df2 upstream. An independent security researcher, Mohamed Ghannam, has reported this vulnerability to Beyond Security's SecuriTeam Secure Disclosure program. The xfrm_dump_policy_done function expects xfrm_dump_policy to have been called at least once or it will crash. This can be triggered if a dump fails because the target socket's receive buffer is full. This patch fixes it by using the cb->start mechanism to ensure that the initialisation is always done regardless of the buffer situation. Fixes: 12a169e7d8f4 ("ipsec: Put dumpers on the dump list") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Cc: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'mm')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: