Balazs Scheidler <[EMAIL PROTECTED]> wrote: > > While reading through the xfrm code I've found a possible array overflow > in struct sock.
Thanks for catching this. However, the check should be done in xfrm_user as we do for af_key. The following patch does just that. Signed-off-by: Herbert Xu <[EMAIL PROTECTED]> Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -1350,6 +1350,9 @@ static struct xfrm_policy *xfrm_compile_ if (nr > XFRM_MAX_DEPTH) return NULL; + if (p->dir > XFRM_POLICY_OUT) + return NULL; + xp = xfrm_policy_alloc(GFP_KERNEL); if (xp == NULL) { *dir = -ENOBUFS; - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
