Commit fa6dd8a2 authored by Nicolas Dichtel's avatar Nicolas Dichtel Committed by David S. Miller
Browse files

xfrm: check trunc_len in XFRMA_ALG_AUTH_TRUNC

Maximum trunc length is defined by MAX_AH_AUTH_LEN (in bytes)
and need to be checked when this value is set (in bits) by
the user. In ah4.c and ah6.c a BUG_ON() checks this condiftion.
Signed-off-by: default avatarNicolas Dichtel <>
Signed-off-by: default avatarDavid S. Miller <>
parent f76957fc
...@@ -26,6 +26,7 @@ ...@@ -26,6 +26,7 @@
#include <net/sock.h> #include <net/sock.h>
#include <net/xfrm.h> #include <net/xfrm.h>
#include <net/netlink.h> #include <net/netlink.h>
#include <net/ah.h>
#include <asm/uaccess.h> #include <asm/uaccess.h>
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
#include <linux/in6.h> #include <linux/in6.h>
...@@ -302,7 +303,8 @@ static int attach_auth_trunc(struct xfrm_algo_auth **algpp, u8 *props, ...@@ -302,7 +303,8 @@ static int attach_auth_trunc(struct xfrm_algo_auth **algpp, u8 *props,
algo = xfrm_aalg_get_byname(ualg->alg_name, 1); algo = xfrm_aalg_get_byname(ualg->alg_name, 1);
if (!algo) if (!algo)
return -ENOSYS; return -ENOSYS;
if (ualg->alg_trunc_len > algo->uinfo.auth.icv_fullbits) if ((ualg->alg_trunc_len / 8) > MAX_AH_AUTH_LEN ||
ualg->alg_trunc_len > algo->uinfo.auth.icv_fullbits)
return -EINVAL; return -EINVAL;
*props = algo->desc.sadb_alg_id; *props = algo->desc.sadb_alg_id;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment