Sophie

Sophie

distrib > Scientific%20Linux > 5x > x86_64 > by-pkgid > 27922b4260f65d317aabda37e42bbbff > files > 2624

kernel-2.6.18-238.el5.src.rpm

From: Thomas Graf <tgraf@redhat.com>
Date: Fri, 28 Mar 2008 00:06:19 +0100
Subject: [net] ESP: ensure IV is in linear part of the skb
Message-id: 20080327230618.GA10573@lsx.localdomain
O-Subject: [RHEL5.2 PATCH] BZ#427248: [ESP] Ensure IV is in linear part of the skb to avoid BUG() due to OOB access
Bugzilla: 427248

This patch fixes a security issue where a specially crafted fragment
holding the IV in the second fragment triggers a BUG() condition
due to the IV size is not being taken into account when calling
pskb_may_pull() to make sure it is in the linear part.

Patch was submitted upstream to netdev a few minutes ago.

Acked-by: "David S. Miller" <davem@redhat.com>
Acked-by: James Morris <jmorris@redhat.com>

diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index f0dba29..e620581 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -344,7 +344,7 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
 	struct scatterlist *asg;
 	int err = -EINVAL;
 
-	if (!pskb_may_pull(skb, sizeof(struct ip_esp_hdr)))
+	if (!pskb_may_pull(skb, sizeof(struct ip_esp_hdr) + crypto_aead_ivsize(aead)))
 		goto out;
 
 	if (elen <= 0)
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 68e3099..ffbb136 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -301,7 +301,7 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
 	struct scatterlist *sg;
 	struct scatterlist *asg;
 
-	if (!pskb_may_pull(skb, sizeof(struct ipv6_esp_hdr))) {
+	if (!pskb_may_pull(skb, sizeof(struct ipv6_esp_hdr) + crypto_aead_ivsize(aead))) {
 		ret = -EINVAL;
 		goto out;
 	}