Balazs Scheidler <[EMAIL PROTECTED]> wrote:
> While reading through the xfrm code I've found a possible array overflow
> in struct sock.

Thanks for catching this.  However, the check should be done in xfrm_user
as we do for af_key.  The following patch does just that.

Signed-off-by: Herbert Xu <[EMAIL PROTECTED]>

Visit Openswan at
Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]>
Home Page:
PGP Key:
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1350,6 +1350,9 @@ static struct xfrm_policy *xfrm_compile_
        if (nr > XFRM_MAX_DEPTH)
                return NULL;
+       if (p->dir > XFRM_POLICY_OUT)
+               return NULL;
        xp = xfrm_policy_alloc(GFP_KERNEL);
        if (xp == NULL) {
                *dir = -ENOBUFS;
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at

Reply via email to