Merge tag 'v5.6' into next

Sync up with mainline to get device tree and other changes.
author: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2020-05-12 12:18:21 -0700
committer: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2020-05-12 12:18:21 -0700
commit: 0fdc50dfab47d525b71a9f0d8310746cdc0c09c5 (patch)
tree: 42f5f09f2c8677389136541815394b76fba07600 /net/xfrm/xfrm_user.c
parent: Input: add driver for the Cypress CY8CTMA140 touchscreen (diff)
parent: Linux 5.6 (diff)
download: linux-dev-0fdc50dfab47d525b71a9f0d8310746cdc0c09c5.tar.xz
linux-dev-0fdc50dfab47d525b71a9f0d8310746cdc0c09c5.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index b88ba45ff1ac..e6cfaa680ef3 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -110,7 +110,8 @@ static inline int verify_sec_ctx_len(struct nlattr **attrs)
 		return 0;
 
 	uctx = nla_data(rt);
-	if (uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len))
+	if (uctx->len > nla_len(rt) ||
+	    uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len))
 		return -EINVAL;
 
 	return 0;
@@ -2275,6 +2276,9 @@ static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh,
 	err = verify_newpolicy_info(&ua->policy);
 	if (err)
 		goto free_state;
+	err = verify_sec_ctx_len(attrs);
+	if (err)
+		goto free_state;
 
 	/*   build an XP */
 	xp = xfrm_policy_construct(net, &ua->policy, attrs, &err);
author	Dmitry Torokhov <dmitry.torokhov@gmail.com>	2020-05-12 12:18:21 -0700
committer	Dmitry Torokhov <dmitry.torokhov@gmail.com>	2020-05-12 12:18:21 -0700
commit	0fdc50dfab47d525b71a9f0d8310746cdc0c09c5 (patch)
tree	42f5f09f2c8677389136541815394b76fba07600 /net/xfrm/xfrm_user.c
parent	Input: add driver for the Cypress CY8CTMA140 touchscreen (diff)
parent	Linux 5.6 (diff)
download	linux-dev-0fdc50dfab47d525b71a9f0d8310746cdc0c09c5.tar.xz linux-dev-0fdc50dfab47d525b71a9f0d8310746cdc0c09c5.zip