diff options
| author | Nicolas Dichtel <nicolas.dichtel@6wind.com> | 2011-01-11 08:04:12 +0000 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2011-01-11 14:03:09 -0800 |
| commit | fa6dd8a2c89861d05621ce7e2880e485bec22fba (patch) | |
| tree | 8636aee24a084dc6b530cc8c0e06c283429d037e /net/xfrm/xfrm_user.c | |
| parent | f76957fc8fc4fa9735f01e59653b2792b077de06 (diff) | |
| download | olio-linux-3.10-fa6dd8a2c89861d05621ce7e2880e485bec22fba.tar.xz olio-linux-3.10-fa6dd8a2c89861d05621ce7e2880e485bec22fba.zip | |
xfrm: check trunc_len in XFRMA_ALG_AUTH_TRUNC
Maximum trunc length is defined by MAX_AH_AUTH_LEN (in bytes)
and need to be checked when this value is set (in bits) by
the user. In ah4.c and ah6.c a BUG_ON() checks this condiftion.
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/xfrm/xfrm_user.c')
| -rw-r--r-- | net/xfrm/xfrm_user.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 6a8da81ff66..d5e1e0b0889 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -26,6 +26,7 @@ #include <net/sock.h> #include <net/xfrm.h> #include <net/netlink.h> +#include <net/ah.h> #include <asm/uaccess.h> #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) #include <linux/in6.h> @@ -302,7 +303,8 @@ static int attach_auth_trunc(struct xfrm_algo_auth **algpp, u8 *props, algo = xfrm_aalg_get_byname(ualg->alg_name, 1); if (!algo) return -ENOSYS; - if (ualg->alg_trunc_len > algo->uinfo.auth.icv_fullbits) + if ((ualg->alg_trunc_len / 8) > MAX_AH_AUTH_LEN || + ualg->alg_trunc_len > algo->uinfo.auth.icv_fullbits) return -EINVAL; *props = algo->desc.sadb_alg_id; |