a7y18lte-ubports/android_kernel_samsung_universal7885
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
cce422b32d
android_kernel_samsung_univ.../net
History
Steffen Klassert cce422b32d xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies. 
[ Upstream commit 732706afe1cc46ef48493b3d2b69c98f36314ae4 ]

On policies with a transport mode template, we pass the addresses
from the flowi to xfrm_state_find(), assuming that the IP addresses
(and address family) don't change during transformation.

Unfortunately our policy template validation is not strict enough.
It is possible to configure policies with transport mode template
where the address family of the template does not match the selectors
address family. This lead to stack-out-of-bound reads because
we compare arddesses of the wrong family. Fix this by refusing
such a configuration, address family can not change on transport
mode.

We use the assumption that, on transport mode, the first templates
address family must match the address family of the policy selector.
Subsequent transport mode templates must mach the address family of
the previous template.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-02-25 11:03:41 +01:00
..
6lowpan
9p net/9p: Switch to wait_event_killable() 2017-11-30 08:37:25 +00:00
802
8021q 8021q: fix a memory leak for VLAN 0 device 2018-01-17 09:35:29 +01:00
appletalk
atm
ax25
batman-adv
bluetooth Bluetooth: Prevent stack info leak from the EFS element. 2018-01-17 09:35:32 +01:00
bridge net: bridge: fix early call to br_stp_change_bridge_id and plug newlink leaks 2018-01-02 20:33:26 +01:00
caif
can can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once 2018-01-31 12:06:08 +01:00
ceph
core net: avoid skb_warn_bad_offload on IS_ERR 2018-02-25 11:03:37 +01:00
dcb
dccp dccp: CVE-2017-8824: use-after-free in DCCP code 2018-02-16 20:09:40 +01:00
decnet dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock 2018-02-25 11:03:38 +01:00
dns_resolver
dsa
ethernet
hsr
ieee802154
ipv4 netfilter: on sockopt() acquire sock lock only in the required scope 2018-02-25 11:03:37 +01:00
ipv6 netfilter: on sockopt() acquire sock lock only in the required scope 2018-02-25 11:03:37 +01:00
ipx
irda
iucv
key af_key: fix buffer overread in parse_exthdrs() 2018-01-23 19:50:14 +01:00
l2tp l2tp: cleanup l2tp_tunnel_delete calls 2017-12-20 10:04:59 +01:00
l3mdev
lapb
llc
mac80211 mac80211: fix the update of path metric for RANN frame 2018-02-03 17:04:27 +01:00
mac802154
mpls
netfilter netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert 2018-02-25 11:03:37 +01:00
netlabel
netlink netlink: Add netns check on taps 2018-01-02 20:33:24 +01:00
netrom
nfc NFC: fix device-allocation error return 2017-11-30 08:37:23 +00:00
openvswitch openvswitch: fix the incorrect flow action alloc size 2018-02-03 17:04:27 +01:00
packet net/packet: fix a race in packet_bind() and packet_notifier() 2017-12-16 10:33:56 +01:00
phonet
rds RDS: null pointer dereference in rds_atomic_free_op 2018-01-17 09:35:29 +01:00
rfkill
rose
rxrpc
sched net_sched: red: Avoid illegal values 2018-02-25 11:03:40 +01:00
sctp sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf 2018-01-31 12:06:13 +01:00
sunrpc SUNRPC: Allow connect to return EHOSTUNREACH 2018-02-03 17:04:28 +01:00
switchdev
tipc tipc: fix memory leak in tipc_accept_from_sock() 2017-12-16 10:33:56 +01:00
unix
vmw_vsock
wimax
wireless cfg80211: check dev_set_name() return value 2018-02-25 11:03:35 +01:00
x25
xfrm xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies. 2018-02-25 11:03:41 +01:00
compat.c
Kconfig Make DST_CACHE a silent config option 2018-02-25 11:03:37 +01:00
Makefile
socket.c bpf: introduce BPF_JIT_ALWAYS_ON config 2018-02-03 17:04:24 +01:00
sysctl_net.c