diff options
author | Mathias Krause <minipli@googlemail.com> | 2012-09-13 11:41:26 +0000 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2012-09-18 16:13:45 -0400 |
commit | 864745d291b5ba80ea0bd0edcbe67273de368836 (patch) | |
tree | 3a1f7ea5641d94680f30514c88b4996e736926bc /net | |
parent | 2c20cbd7e3aa6e9dddc07975d3f3a89fe1f69c00 (diff) | |
download | op-kernel-dev-864745d291b5ba80ea0bd0edcbe67273de368836.zip op-kernel-dev-864745d291b5ba80ea0bd0edcbe67273de368836.tar.gz |
xfrm_user: return error pointer instead of NULL
When dump_one_state() returns an error, e.g. because of a too small
buffer to dump the whole xfrm state, xfrm_state_netlink() returns NULL
instead of an error pointer. But its callers expect an error pointer
and therefore continue to operate on a NULL skbuff.
This could lead to a privilege escalation (execution of user code in
kernel context) if the attacker has CAP_NET_ADMIN and is able to map
address 0.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/xfrm/xfrm_user.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index e75d8e4..dac08e2 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -878,6 +878,7 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb, { struct xfrm_dump_info info; struct sk_buff *skb; + int err; skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); if (!skb) @@ -888,9 +889,10 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb, info.nlmsg_seq = seq; info.nlmsg_flags = 0; - if (dump_one_state(x, 0, &info)) { + err = dump_one_state(x, 0, &info); + if (err) { kfree_skb(skb); - return NULL; + return ERR_PTR(err); } return skb; |