Commit 0c8d2d95 authored by David S. Miller's avatar David S. Miller

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec

Steffen Klassert says:

====================
pull request (net): ipsec 2017-08-21

1) Fix memleaks when ESP takes an error path.

2) Fix null pointer dereference when creating a sub policy
   that matches the same outer flow as main policy does.
   From Koichiro Den.

3) Fix possible out-of-bound access in xfrm_migrate.
   This patch should go to the stable trees too.
   From Vladis Dronov.

4) ESP can return positive and negative error values,
   so treat both cases as an error.

Please pull or let me know if there are problems.
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 3de33e1b 4ff0308f
...@@ -381,7 +381,7 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * ...@@ -381,7 +381,7 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
(unsigned char *)esph - skb->data, (unsigned char *)esph - skb->data,
assoclen + ivlen + esp->clen + alen); assoclen + ivlen + esp->clen + alen);
if (unlikely(err < 0)) if (unlikely(err < 0))
goto error; goto error_free;
if (!esp->inplace) { if (!esp->inplace) {
int allocsize; int allocsize;
...@@ -392,7 +392,7 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * ...@@ -392,7 +392,7 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
spin_lock_bh(&x->lock); spin_lock_bh(&x->lock);
if (unlikely(!skb_page_frag_refill(allocsize, pfrag, GFP_ATOMIC))) { if (unlikely(!skb_page_frag_refill(allocsize, pfrag, GFP_ATOMIC))) {
spin_unlock_bh(&x->lock); spin_unlock_bh(&x->lock);
goto error; goto error_free;
} }
skb_shinfo(skb)->nr_frags = 1; skb_shinfo(skb)->nr_frags = 1;
...@@ -409,7 +409,7 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * ...@@ -409,7 +409,7 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
(unsigned char *)esph - skb->data, (unsigned char *)esph - skb->data,
assoclen + ivlen + esp->clen + alen); assoclen + ivlen + esp->clen + alen);
if (unlikely(err < 0)) if (unlikely(err < 0))
goto error; goto error_free;
} }
if ((x->props.flags & XFRM_STATE_ESN)) if ((x->props.flags & XFRM_STATE_ESN))
...@@ -442,8 +442,9 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * ...@@ -442,8 +442,9 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
if (sg != dsg) if (sg != dsg)
esp_ssg_unref(x, tmp); esp_ssg_unref(x, tmp);
kfree(tmp);
error_free:
kfree(tmp);
error: error:
return err; return err;
} }
...@@ -695,8 +696,10 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb) ...@@ -695,8 +696,10 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
sg_init_table(sg, nfrags); sg_init_table(sg, nfrags);
err = skb_to_sgvec(skb, sg, 0, skb->len); err = skb_to_sgvec(skb, sg, 0, skb->len);
if (unlikely(err < 0)) if (unlikely(err < 0)) {
kfree(tmp);
goto out; goto out;
}
skb->ip_summed = CHECKSUM_NONE; skb->ip_summed = CHECKSUM_NONE;
......
...@@ -257,7 +257,7 @@ static int esp_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features_ ...@@ -257,7 +257,7 @@ static int esp_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features_
esp.seqno = cpu_to_be64(xo->seq.low + ((u64)xo->seq.hi << 32)); esp.seqno = cpu_to_be64(xo->seq.low + ((u64)xo->seq.hi << 32));
err = esp_output_tail(x, skb, &esp); err = esp_output_tail(x, skb, &esp);
if (err < 0) if (err)
return err; return err;
secpath_reset(skb); secpath_reset(skb);
......
...@@ -345,7 +345,7 @@ int esp6_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info ...@@ -345,7 +345,7 @@ int esp6_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
(unsigned char *)esph - skb->data, (unsigned char *)esph - skb->data,
assoclen + ivlen + esp->clen + alen); assoclen + ivlen + esp->clen + alen);
if (unlikely(err < 0)) if (unlikely(err < 0))
goto error; goto error_free;
if (!esp->inplace) { if (!esp->inplace) {
int allocsize; int allocsize;
...@@ -356,7 +356,7 @@ int esp6_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info ...@@ -356,7 +356,7 @@ int esp6_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
spin_lock_bh(&x->lock); spin_lock_bh(&x->lock);
if (unlikely(!skb_page_frag_refill(allocsize, pfrag, GFP_ATOMIC))) { if (unlikely(!skb_page_frag_refill(allocsize, pfrag, GFP_ATOMIC))) {
spin_unlock_bh(&x->lock); spin_unlock_bh(&x->lock);
goto error; goto error_free;
} }
skb_shinfo(skb)->nr_frags = 1; skb_shinfo(skb)->nr_frags = 1;
...@@ -373,7 +373,7 @@ int esp6_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info ...@@ -373,7 +373,7 @@ int esp6_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
(unsigned char *)esph - skb->data, (unsigned char *)esph - skb->data,
assoclen + ivlen + esp->clen + alen); assoclen + ivlen + esp->clen + alen);
if (unlikely(err < 0)) if (unlikely(err < 0))
goto error; goto error_free;
} }
if ((x->props.flags & XFRM_STATE_ESN)) if ((x->props.flags & XFRM_STATE_ESN))
...@@ -406,8 +406,9 @@ int esp6_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info ...@@ -406,8 +406,9 @@ int esp6_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
if (sg != dsg) if (sg != dsg)
esp_ssg_unref(x, tmp); esp_ssg_unref(x, tmp);
kfree(tmp);
error_free:
kfree(tmp);
error: error:
return err; return err;
} }
......
...@@ -286,7 +286,7 @@ static int esp6_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features ...@@ -286,7 +286,7 @@ static int esp6_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features
esp.seqno = cpu_to_be64(xo->seq.low + ((u64)xo->seq.hi << 32)); esp.seqno = cpu_to_be64(xo->seq.low + ((u64)xo->seq.hi << 32));
err = esp6_output_tail(x, skb, &esp); err = esp6_output_tail(x, skb, &esp);
if (err < 0) if (err)
return err; return err;
secpath_reset(skb); secpath_reset(skb);
......
...@@ -3308,9 +3308,15 @@ int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, ...@@ -3308,9 +3308,15 @@ int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
struct xfrm_state *x_new[XFRM_MAX_DEPTH]; struct xfrm_state *x_new[XFRM_MAX_DEPTH];
struct xfrm_migrate *mp; struct xfrm_migrate *mp;
/* Stage 0 - sanity checks */
if ((err = xfrm_migrate_check(m, num_migrate)) < 0) if ((err = xfrm_migrate_check(m, num_migrate)) < 0)
goto out; goto out;
if (dir >= XFRM_POLICY_MAX) {
err = -EINVAL;
goto out;
}
/* Stage 1 - find policy */ /* Stage 1 - find policy */
if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) { if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) {
err = -ENOENT; err = -ENOENT;
......
...@@ -1620,6 +1620,7 @@ int ...@@ -1620,6 +1620,7 @@ int
xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n, xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
unsigned short family, struct net *net) unsigned short family, struct net *net)
{ {
int i;
int err = 0; int err = 0;
struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family); struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
if (!afinfo) if (!afinfo)
...@@ -1628,6 +1629,9 @@ xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n, ...@@ -1628,6 +1629,9 @@ xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
spin_lock_bh(&net->xfrm.xfrm_state_lock); /*FIXME*/ spin_lock_bh(&net->xfrm.xfrm_state_lock); /*FIXME*/
if (afinfo->tmpl_sort) if (afinfo->tmpl_sort)
err = afinfo->tmpl_sort(dst, src, n); err = afinfo->tmpl_sort(dst, src, n);
else
for (i = 0; i < n; i++)
dst[i] = src[i];
spin_unlock_bh(&net->xfrm.xfrm_state_lock); spin_unlock_bh(&net->xfrm.xfrm_state_lock);
rcu_read_unlock(); rcu_read_unlock();
return err; return err;
...@@ -1638,6 +1642,7 @@ int ...@@ -1638,6 +1642,7 @@ int
xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n, xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
unsigned short family) unsigned short family)
{ {
int i;
int err = 0; int err = 0;
struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family); struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
struct net *net = xs_net(*src); struct net *net = xs_net(*src);
...@@ -1648,6 +1653,9 @@ xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n, ...@@ -1648,6 +1653,9 @@ xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
spin_lock_bh(&net->xfrm.xfrm_state_lock); spin_lock_bh(&net->xfrm.xfrm_state_lock);
if (afinfo->state_sort) if (afinfo->state_sort)
err = afinfo->state_sort(dst, src, n); err = afinfo->state_sort(dst, src, n);
else
for (i = 0; i < n; i++)
dst[i] = src[i];
spin_unlock_bh(&net->xfrm.xfrm_state_lock); spin_unlock_bh(&net->xfrm.xfrm_state_lock);
rcu_read_unlock(); rcu_read_unlock();
return err; return err;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment