diff options
author | Thomas Egerer <thomas.egerer@secunet.com> | 2016-05-31 15:30:03 (GMT) |
---|---|---|
committer | Thomas Haller <thaller@redhat.com> | 2016-06-25 11:54:28 (GMT) |
commit | bd3791dcf3eb1934a87b151da9af9c4e6086928d (patch) | |
tree | ba43a76d950247a34d9738a1ee7dabb0b77e6684 | |
parent | 6e37f6f981bc703bd70bf1af81cc0ef37bdcc16b (diff) | |
download | libnl-bd3791dcf3eb1934a87b151da9af9c4e6086928d.zip libnl-bd3791dcf3eb1934a87b151da9af9c4e6086928d.tar.gz libnl-bd3791dcf3eb1934a87b151da9af9c4e6086928d.tar.bz2 |
xfrm: check length of alg_name before strcpying it
If the parameter alg_name points to a string longer then what libnl
accepts as alg_name, the call to strcpy may write far beyond the
particular data structure.
Instead of truncating the string (using strncpy) this patch adds a check
and returns -1 for strings being longer than 63 bytes.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
Signed-off-by: Thomas Haller <thaller@redhat.com>
Fixes: 917154470895520a77f527343f3a0cc1605934b0
http://lists.infradead.org/pipermail/libnl/2016-May/002133.html
-rw-r--r-- | lib/xfrm/sa.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/lib/xfrm/sa.c b/lib/xfrm/sa.c index 69bcfd6..1cd6edd 100644 --- a/lib/xfrm/sa.c +++ b/lib/xfrm/sa.c @@ -1635,7 +1635,7 @@ int xfrmnl_sa_set_aead_params (struct xfrmnl_sa* sa, char* alg_name, unsigned in /* Free up the old key and allocate memory to hold new key */ if (sa->aead) free (sa->aead); - if ((sa->aead = calloc (1, newlen)) == NULL) + if (strlen (alg_name) >= sizeof (sa->aead->alg_name) || (sa->aead = calloc (1, newlen)) == NULL) return -1; /* Save the new info */ @@ -1672,7 +1672,7 @@ int xfrmnl_sa_set_auth_params (struct xfrmnl_sa* sa, char* alg_name, unsigned in /* Free up the old auth data and allocate new one */ if (sa->auth) free (sa->auth); - if ((sa->auth = calloc (1, newlen)) == NULL) + if (strlen (alg_name) >= sizeof (sa->auth->alg_name) || (sa->auth = calloc (1, newlen)) == NULL) return -1; /* Save the new info */ @@ -1708,7 +1708,7 @@ int xfrmnl_sa_set_crypto_params (struct xfrmnl_sa* sa, char* alg_name, unsigned /* Free up the old crypto and allocate new one */ if (sa->crypt) free (sa->crypt); - if ((sa->crypt = calloc (1, newlen)) == NULL) + if (strlen (alg_name) >= sizeof (sa->crypt->alg_name) || (sa->crypt = calloc (1, newlen)) == NULL) return -1; /* Save the new info */ @@ -1743,7 +1743,7 @@ int xfrmnl_sa_set_comp_params (struct xfrmnl_sa* sa, char* alg_name, unsigned in /* Free up the old compression algo params and allocate new one */ if (sa->comp) free (sa->comp); - if ((sa->comp = calloc (1, newlen)) == NULL) + if (strlen (alg_name) >= sizeof (sa->comp->alg_name) || (sa->comp = calloc (1, newlen)) == NULL) return -1; /* Save the new info */ |