On Sat, Apr 07, 2018 at 11:40:33AM -0400, Kevin Easton wrote: > Key extensions (struct sadb_key) include a user-specified number of key > bits. The kernel uses that number to determine how much key data to copy > out of the message in pfkey_msg2xfrm_state(). > > The length of the sadb_key message must be verified to be long enough, > even in the case of SADB_X_AALG_NULL. Furthermore, the sadb_key_len value > must be long enough to include both the key data and the struct sadb_key > itself. > > Introduce a helper function verify_key_len(), and call it from > parse_exthdrs() where other exthdr types are similarly checked for > correctness. > > Signed-off-by: Kevin Easton <ke...@guarana.org> > Reported-by: > syzbot+5022a34ca5a3d49b84223653fab632dfb7b4c...@syzkaller.appspotmail.com
Applied to the ipsec tree, thanks Kevin!
