summaryrefslogtreecommitdiffstats
path: root/net/ipv6/esp6.c
diff options
context:
space:
mode:
authorThomas Graf <tgraf@suug.ch>2008-03-27 16:08:03 -0700
committerDavid S. Miller <davem@davemloft.net>2008-03-27 16:08:03 -0700
commit920fc941a9617f95ccb283037fe6f8a38d95bb69 (patch)
tree1de9a439eec25d514f25254320ded076f5fd8144 /net/ipv6/esp6.c
parent732c8bd590625e8bc0b88313b82930e336b2bec4 (diff)
downloadkernel-crypto-920fc941a9617f95ccb283037fe6f8a38d95bb69.tar.gz
kernel-crypto-920fc941a9617f95ccb283037fe6f8a38d95bb69.tar.xz
kernel-crypto-920fc941a9617f95ccb283037fe6f8a38d95bb69.zip
[ESP]: Ensure IV is in linear part of the skb to avoid BUG() due to OOB access
ESP does not account for the IV size when calling pskb_may_pull() to ensure everything it accesses directly is within the linear part of a potential fragment. This results in a BUG() being triggered when the both the IPv4 and IPv6 ESP stack is fed with an skb where the first fragment ends between the end of the esp header and the end of the IV. This bug was found by Dirk Nehring <dnehring@gmx.net> . Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6/esp6.c')
-rw-r--r--net/ipv6/esp6.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 0ec1402320e..c6bb4c6d24b 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -282,7 +282,7 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
struct scatterlist *sg;
struct scatterlist *asg;
- if (!pskb_may_pull(skb, sizeof(*esph))) {
+ if (!pskb_may_pull(skb, sizeof(*esph) + crypto_aead_ivsize(aead))) {
ret = -EINVAL;
goto out;
}