aboutsummaryrefslogtreecommitdiff
path: root/net/xfrm/xfrm_user.c
diff options
context:
space:
mode:
Diffstat (limited to 'net/xfrm/xfrm_user.c')
-rw-r--r--net/xfrm/xfrm_user.c106
1 files changed, 66 insertions, 40 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index c4cde57d921..311205ffa77 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -244,11 +244,10 @@ static int attach_one_algo(struct xfrm_algo **algpp, u8 *props,
*props = algo->desc.sadb_alg_id;
len = sizeof(*ualg) + (ualg->alg_key_len + 7U) / 8;
- p = kmalloc(len, GFP_KERNEL);
+ p = kmemdup(ualg, len, GFP_KERNEL);
if (!p)
return -ENOMEM;
- memcpy(p, ualg, len);
strcpy(p->alg_name, algo->name);
*algpp = p;
return 0;
@@ -263,11 +262,10 @@ static int attach_encap_tmpl(struct xfrm_encap_tmpl **encapp, struct rtattr *u_a
return 0;
uencap = RTA_DATA(rta);
- p = kmalloc(sizeof(*p), GFP_KERNEL);
+ p = kmemdup(uencap, sizeof(*p), GFP_KERNEL);
if (!p)
return -ENOMEM;
- memcpy(p, uencap, sizeof(*p));
*encapp = p;
return 0;
}
@@ -305,11 +303,10 @@ static int attach_one_addr(xfrm_address_t **addrpp, struct rtattr *u_arg)
return 0;
uaddrp = RTA_DATA(rta);
- p = kmalloc(sizeof(*p), GFP_KERNEL);
+ p = kmemdup(uaddrp, sizeof(*p), GFP_KERNEL);
if (!p)
return -ENOMEM;
- memcpy(p, uaddrp, sizeof(*p));
*addrpp = p;
return 0;
}
@@ -495,6 +492,7 @@ static struct xfrm_state *xfrm_user_state_lookup(struct xfrm_usersa_id *p,
goto out;
}
+ err = -ESRCH;
x = xfrm_state_lookup_byaddr(&p->daddr, saddr, p->proto,
p->family);
}
@@ -652,7 +650,6 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
if (!skb)
return ERR_PTR(-ENOMEM);
- NETLINK_CB(skb).dst_pid = NETLINK_CB(in_skb).pid;
info.in_skb = in_skb;
info.out_skb = skb;
info.nlmsg_seq = seq;
@@ -772,7 +769,7 @@ out_noput:
return err;
}
-static int verify_policy_dir(__u8 dir)
+static int verify_policy_dir(u8 dir)
{
switch (dir) {
case XFRM_POLICY_IN:
@@ -787,7 +784,7 @@ static int verify_policy_dir(__u8 dir)
return 0;
}
-static int verify_policy_type(__u8 type)
+static int verify_policy_type(u8 type)
{
switch (type) {
case XFRM_POLICY_TYPE_MAIN:
@@ -874,22 +871,57 @@ static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut,
t->aalgos = ut->aalgos;
t->ealgos = ut->ealgos;
t->calgos = ut->calgos;
+ t->encap_family = ut->family;
+ }
+}
+
+static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family)
+{
+ int i;
+
+ if (nr > XFRM_MAX_DEPTH)
+ return -EINVAL;
+
+ for (i = 0; i < nr; i++) {
+ /* We never validated the ut->family value, so many
+ * applications simply leave it at zero. The check was
+ * never made and ut->family was ignored because all
+ * templates could be assumed to have the same family as
+ * the policy itself. Now that we will have ipv4-in-ipv6
+ * and ipv6-in-ipv4 tunnels, this is no longer true.
+ */
+ if (!ut[i].family)
+ ut[i].family = family;
+
+ switch (ut[i].family) {
+ case AF_INET:
+ break;
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+ case AF_INET6:
+ break;
+#endif
+ default:
+ return -EINVAL;
+ };
}
+
+ return 0;
}
static int copy_from_user_tmpl(struct xfrm_policy *pol, struct rtattr **xfrma)
{
struct rtattr *rt = xfrma[XFRMA_TMPL-1];
- struct xfrm_user_tmpl *utmpl;
- int nr;
if (!rt) {
pol->xfrm_nr = 0;
} else {
- nr = (rt->rta_len - sizeof(*rt)) / sizeof(*utmpl);
+ struct xfrm_user_tmpl *utmpl = RTA_DATA(rt);
+ int nr = (rt->rta_len - sizeof(*rt)) / sizeof(*utmpl);
+ int err;
- if (nr > XFRM_MAX_DEPTH)
- return -EINVAL;
+ err = validate_tmpl(nr, utmpl, pol->family);
+ if (err)
+ return err;
copy_templates(pol, RTA_DATA(rt), nr);
}
@@ -900,7 +932,7 @@ static int copy_from_user_policy_type(u8 *tp, struct rtattr **xfrma)
{
struct rtattr *rt = xfrma[XFRMA_POLICY_TYPE-1];
struct xfrm_userpolicy_type *upt;
- __u8 type = XFRM_POLICY_TYPE_MAIN;
+ u8 type = XFRM_POLICY_TYPE_MAIN;
int err;
if (rt) {
@@ -1027,7 +1059,7 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb)
struct xfrm_tmpl *kp = &xp->xfrm_vec[i];
memcpy(&up->id, &kp->id, sizeof(up->id));
- up->family = xp->family;
+ up->family = kp->encap_family;
memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr));
up->reqid = kp->reqid;
up->mode = kp->mode;
@@ -1082,12 +1114,12 @@ static inline int copy_to_user_sec_ctx(struct xfrm_policy *xp, struct sk_buff *s
}
#ifdef CONFIG_XFRM_SUB_POLICY
-static int copy_to_user_policy_type(struct xfrm_policy *xp, struct sk_buff *skb)
+static int copy_to_user_policy_type(u8 type, struct sk_buff *skb)
{
struct xfrm_userpolicy_type upt;
memset(&upt, 0, sizeof(upt));
- upt.type = xp->type;
+ upt.type = type;
RTA_PUT(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt);
@@ -1098,7 +1130,7 @@ rtattr_failure:
}
#else
-static inline int copy_to_user_policy_type(struct xfrm_policy *xp, struct sk_buff *skb)
+static inline int copy_to_user_policy_type(u8 type, struct sk_buff *skb)
{
return 0;
}
@@ -1127,7 +1159,7 @@ static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr
goto nlmsg_failure;
if (copy_to_user_sec_ctx(xp, skb))
goto nlmsg_failure;
- if (copy_to_user_policy_type(xp, skb) < 0)
+ if (copy_to_user_policy_type(xp->type, skb) < 0)
goto nlmsg_failure;
nlh->nlmsg_len = skb->tail - b;
@@ -1170,7 +1202,6 @@ static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb,
if (!skb)
return ERR_PTR(-ENOMEM);
- NETLINK_CB(skb).dst_pid = NETLINK_CB(in_skb).pid;
info.in_skb = in_skb;
info.out_skb = skb;
info.nlmsg_seq = seq;
@@ -1189,7 +1220,7 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfr
{
struct xfrm_policy *xp;
struct xfrm_userpolicy_id *p;
- __u8 type = XFRM_POLICY_TYPE_MAIN;
+ u8 type = XFRM_POLICY_TYPE_MAIN;
int err;
struct km_event c;
int delete;
@@ -1283,10 +1314,12 @@ static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, struct km_eve
id = NLMSG_DATA(nlh);
nlh->nlmsg_flags = 0;
- id->sa_id.daddr = x->id.daddr;
+ memcpy(&id->sa_id.daddr, &x->id.daddr,sizeof(x->id.daddr));
id->sa_id.spi = x->id.spi;
id->sa_id.family = x->props.family;
id->sa_id.proto = x->id.proto;
+ memcpy(&id->saddr, &x->props.saddr,sizeof(x->props.saddr));
+ id->reqid = x->props.reqid;
id->flags = c->data.aevent;
RTA_PUT(skb, XFRMA_REPLAY_VAL, sizeof(x->replay), &x->replay);
@@ -1407,7 +1440,7 @@ out:
static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma)
{
struct km_event c;
- __u8 type = XFRM_POLICY_TYPE_MAIN;
+ u8 type = XFRM_POLICY_TYPE_MAIN;
int err;
err = copy_from_user_policy_type(&type, (struct rtattr **)xfrma);
@@ -1428,7 +1461,7 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, void *
struct xfrm_policy *xp;
struct xfrm_user_polexpire *up = NLMSG_DATA(nlh);
struct xfrm_userpolicy_info *p = &up->pol;
- __u8 type = XFRM_POLICY_TYPE_MAIN;
+ u8 type = XFRM_POLICY_TYPE_MAIN;
int err = -ENOENT;
err = copy_from_user_policy_type(&type, (struct rtattr **)xfrma);
@@ -1530,7 +1563,8 @@ static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh, void **xf
}
/* build an XP */
- xp = xfrm_policy_construct(&ua->policy, (struct rtattr **) xfrma, &err); if (!xp) {
+ xp = xfrm_policy_construct(&ua->policy, (struct rtattr **) xfrma, &err);
+ if (!xp) {
kfree(x);
return err;
}
@@ -1907,7 +1941,7 @@ static int build_acquire(struct sk_buff *skb, struct xfrm_state *x,
goto nlmsg_failure;
if (copy_to_user_state_sec_ctx(x, skb))
goto nlmsg_failure;
- if (copy_to_user_policy_type(xp, skb) < 0)
+ if (copy_to_user_policy_type(xp->type, skb) < 0)
goto nlmsg_failure;
nlh->nlmsg_len = skb->tail - b;
@@ -1979,7 +2013,7 @@ static struct xfrm_policy *xfrm_compile_policy(struct sock *sk, int opt,
return NULL;
nr = ((len - sizeof(*p)) / sizeof(*ut));
- if (nr > XFRM_MAX_DEPTH)
+ if (validate_tmpl(nr, ut, p->sel.family))
return NULL;
if (p->dir > XFRM_POLICY_OUT)
@@ -2017,7 +2051,7 @@ static int build_polexpire(struct sk_buff *skb, struct xfrm_policy *xp,
goto nlmsg_failure;
if (copy_to_user_sec_ctx(xp, skb))
goto nlmsg_failure;
- if (copy_to_user_policy_type(xp, skb) < 0)
+ if (copy_to_user_policy_type(xp->type, skb) < 0)
goto nlmsg_failure;
upe->hard = !!hard;
@@ -2096,7 +2130,7 @@ static int xfrm_notify_policy(struct xfrm_policy *xp, int dir, struct km_event *
copy_to_user_policy(xp, p, dir);
if (copy_to_user_tmpl(xp, skb) < 0)
goto nlmsg_failure;
- if (copy_to_user_policy_type(xp, skb) < 0)
+ if (copy_to_user_policy_type(xp->type, skb) < 0)
goto nlmsg_failure;
nlh->nlmsg_len = skb->tail - b;
@@ -2117,7 +2151,6 @@ static int xfrm_notify_policy_flush(struct km_event *c)
unsigned char *b;
int len = 0;
#ifdef CONFIG_XFRM_SUB_POLICY
- struct xfrm_userpolicy_type upt;
len += RTA_SPACE(sizeof(struct xfrm_userpolicy_type));
#endif
len += NLMSG_LENGTH(0);
@@ -2130,12 +2163,8 @@ static int xfrm_notify_policy_flush(struct km_event *c)
nlh = NLMSG_PUT(skb, c->pid, c->seq, XFRM_MSG_FLUSHPOLICY, 0);
nlh->nlmsg_flags = 0;
-
-#ifdef CONFIG_XFRM_SUB_POLICY
- memset(&upt, 0, sizeof(upt));
- upt.type = c->data.type;
- RTA_PUT(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt);
-#endif
+ if (copy_to_user_policy_type(c->data.type, skb) < 0)
+ goto nlmsg_failure;
nlh->nlmsg_len = skb->tail - b;
@@ -2143,9 +2172,6 @@ static int xfrm_notify_policy_flush(struct km_event *c)
return netlink_broadcast(xfrm_nl, skb, 0, XFRMNLGRP_POLICY, GFP_ATOMIC);
nlmsg_failure:
-#ifdef CONFIG_XFRM_SUB_POLICY
-rtattr_failure:
-#endif
kfree_skb(skb);
return -1;
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-11 20:25:55 +0000