diff options
author | Thomas Gleixner <tglx@linutronix.de> | 2018-01-27 15:35:29 +0100 |
---|---|---|
committer | Thomas Gleixner <tglx@linutronix.de> | 2018-01-27 15:35:29 +0100 |
commit | 303c146df1c4574db3495d9acc5c440dd46c6b0f (patch) | |
tree | fbcea289aea24da8a44c7677a776988bb3c8bcbe /net/key/af_key.c | |
parent | usb/gadget/NCM: Replace tasklet with softirq hrtimer (diff) | |
parent | hrtimer: Reset hrtimer cpu base proper on CPU hotplug (diff) | |
download | linux-dev-303c146df1c4574db3495d9acc5c440dd46c6b0f.tar.xz linux-dev-303c146df1c4574db3495d9acc5c440dd46c6b0f.zip |
Merge branch 'timers/urgent' into timers/core
Pick up urgent bug fix and resolve the conflict.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Diffstat (limited to 'net/key/af_key.c')
-rw-r--r-- | net/key/af_key.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c index 3dffb892d52c..7e2e7188e7f4 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c @@ -401,6 +401,11 @@ static int verify_address_len(const void *p) #endif int len; + if (sp->sadb_address_len < + DIV_ROUND_UP(sizeof(*sp) + offsetofend(typeof(*addr), sa_family), + sizeof(uint64_t))) + return -EINVAL; + switch (addr->sa_family) { case AF_INET: len = DIV_ROUND_UP(sizeof(*sp) + sizeof(*sin), sizeof(uint64_t)); @@ -511,6 +516,9 @@ static int parse_exthdrs(struct sk_buff *skb, const struct sadb_msg *hdr, void * uint16_t ext_type; int ext_len; + if (len < sizeof(*ehdr)) + return -EINVAL; + ext_len = ehdr->sadb_ext_len; ext_len *= sizeof(uint64_t); ext_type = ehdr->sadb_ext_type; @@ -2194,8 +2202,10 @@ static int key_notify_policy(struct xfrm_policy *xp, int dir, const struct km_ev return PTR_ERR(out_skb); err = pfkey_xfrm_policy2msg(out_skb, xp, dir); - if (err < 0) + if (err < 0) { + kfree_skb(out_skb); return err; + } out_hdr = (struct sadb_msg *) out_skb->data; out_hdr->sadb_msg_version = PF_KEY_V2; |