diff options
author | David S. Miller <davem@davemloft.net> | 2018-01-17 00:00:25 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2018-01-17 00:10:42 -0500 |
commit | c02b3741eb99a1ec733e6134c53ba59e43e19e97 (patch) | |
tree | ff7dd96c32dec2abe530e7101378443dabcb8962 /net/key | |
parent | 7018d1b3f20fb4308ed9bc577160cb8ffb79b62a (diff) | |
parent | 8cbab92dff778e516064c13113ca15d4869ec883 (diff) |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Overlapping changes all over.
The mini-qdisc bits were a little bit tricky, however.
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/key')
-rw-r--r-- | net/key/af_key.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c index 3dffb892d52c..7e2e7188e7f4 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c @@ -401,6 +401,11 @@ static int verify_address_len(const void *p) #endif int len; + if (sp->sadb_address_len < + DIV_ROUND_UP(sizeof(*sp) + offsetofend(typeof(*addr), sa_family), + sizeof(uint64_t))) + return -EINVAL; + switch (addr->sa_family) { case AF_INET: len = DIV_ROUND_UP(sizeof(*sp) + sizeof(*sin), sizeof(uint64_t)); @@ -511,6 +516,9 @@ static int parse_exthdrs(struct sk_buff *skb, const struct sadb_msg *hdr, void * uint16_t ext_type; int ext_len; + if (len < sizeof(*ehdr)) + return -EINVAL; + ext_len = ehdr->sadb_ext_len; ext_len *= sizeof(uint64_t); ext_type = ehdr->sadb_ext_type; @@ -2194,8 +2202,10 @@ static int key_notify_policy(struct xfrm_policy *xp, int dir, const struct km_ev return PTR_ERR(out_skb); err = pfkey_xfrm_policy2msg(out_skb, xp, dir); - if (err < 0) + if (err < 0) { + kfree_skb(out_skb); return err; + } out_hdr = (struct sadb_msg *) out_skb->data; out_hdr->sadb_msg_version = PF_KEY_V2; |