As found by syzbot, af_key does not properly validate the key length in sadb_key messages from userspace. This can result in copying from beyond the end of the sadb_key part of the message, or indeed beyond the end of the entire packet.
Both these patches apply cleanly to ipsec-next. Based on Steffen's feedback I have re-ordered them so that the fix only is in patch 1, which I would suggest is also a stable tree candidate, whereas patch 2 is a cleanup only. Kevin Easton (2): af_key: Always verify length of provided sadb_key af_key: Use DIV_ROUND_UP() instead of open-coded equivalent net/key/af_key.c | 58 ++++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 42 insertions(+), 16 deletions(-) -- 2.8.1