github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 06:25:52 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
aa041f13f8
linux/net
History
Eric Biggers b78f2d36e7 af_key: fix buffer overread in parse_exthdrs() 
commit 4e765b4972 upstream.

If a message sent to a PF_KEY socket ended with an incomplete extension
header (fewer than 4 bytes remaining), then parse_exthdrs() read past
the end of the message, into uninitialized memory.  Fix it by returning
-EINVAL in this case.

Reproducer:

	#include <linux/pfkeyv2.h>
	#include <sys/socket.h>
	#include <unistd.h>

	int main()
	{
		int sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
		char buf[17] = { 0 };
		struct sadb_msg *msg = (void *)buf;

		msg->sadb_msg_version = PF_KEY_V2;
		msg->sadb_msg_type = SADB_DELETE;
		msg->sadb_msg_len = 2;

		write(sock, buf, 17);
	}

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-01-23 19:50:14 +01:00
..
6lowpan
9p net/9p: Switch to wait_event_killable() 2017-11-30 08:37:25 +00:00
802
8021q 8021q: fix a memory leak for VLAN 0 device 2018-01-17 09:35:29 +01:00
appletalk
atm
ax25
batman-adv
bluetooth Bluetooth: Prevent stack info leak from the EFS element. 2018-01-17 09:35:32 +01:00
bridge net: bridge: fix early call to br_stp_change_bridge_id and plug newlink leaks 2018-01-02 20:33:26 +01:00
caif
can
ceph
core net: core: fix module type in sock_diag_bind 2018-01-17 09:35:29 +01:00
dcb
dccp tcp/dccp: fix other lockdep splats accessing ireq_opt 2017-11-18 11:11:07 +01:00
decnet
dns_resolver KEYS: Fix race between updating and finding a negative key 2017-10-27 10:23:18 +02:00
dsa net: dsa: select NET_SWITCHDEV 2017-11-15 17:13:11 +01:00
ethernet
hsr
ieee802154 Revert "net: fix percpu memory leaks" 2017-09-27 11:00:11 +02:00
ipv4 ipv4: Fix use-after-free when flushing FIB tables 2018-01-02 20:33:26 +01:00
ipv6 ipv6: fix possible mem leaks in ipv6_make_skb() 2018-01-17 09:35:30 +01:00
ipx
irda irda: do not leak initialized list.dev to userspace 2017-08-30 10:19:21 +02:00
iucv
key af_key: fix buffer overread in parse_exthdrs() 2018-01-23 19:50:14 +01:00
l2tp l2tp: cleanup l2tp_tunnel_delete calls 2017-12-20 10:04:59 +01:00
l3mdev
lapb
llc
mac80211 net/mac80211/debugfs.c: prevent build failure with CONFIG_UBSAN=y 2018-01-17 09:35:25 +01:00
mac802154
mpls
netfilter netfilter: nfnetlink_queue: fix secctx memory leak 2017-12-25 14:22:13 +01:00
netlabel
netlink netlink: Add netns check on taps 2018-01-02 20:33:24 +01:00
netrom
nfc NFC: fix device-allocation error return 2017-11-30 08:37:23 +00:00
openvswitch openvswitch: fix potential out of bound access in parse_ct 2017-08-11 09:08:53 -07:00
packet net/packet: fix a race in packet_bind() and packet_notifier() 2017-12-16 10:33:56 +01:00
phonet
rds RDS: null pointer dereference in rds_atomic_free_op 2018-01-17 09:35:29 +01:00
rfkill
rose
rxrpc
sched sch_dsmark: fix invalid skb_cow() usage 2017-12-25 14:22:10 +01:00
sctp sctp: Replace use of sockets_allocated with specified macro. 2018-01-02 20:33:25 +01:00
sunrpc kernel: make groups_sort calling a responsibility group_info allocators 2018-01-10 09:27:10 +01:00
switchdev
tipc tipc: fix memory leak in tipc_accept_from_sock() 2017-12-16 10:33:56 +01:00
unix net/unix: don't show information about sockets from other namespaces 2017-11-18 11:11:06 +01:00
vmw_vsock vsock: use new wait API for vsock_stream_sendmsg() 2017-11-30 08:37:19 +00:00
wimax
wireless nl80211: Define policy for packet pattern attributes 2017-10-18 09:20:41 +02:00
x25
xfrm xfrm: Copy policy family in clone_policy 2017-12-16 10:33:55 +01:00
compat.c audit: log 32-bit socketcalls 2017-10-08 10:14:18 +02:00
Kconfig
Makefile
socket.c net: initialize msg.msg_flags in recvfrom 2017-12-20 10:04:53 +01:00
sysctl_net.c