www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Herbert Xu <herbert@gondor.apana.org.au>
	Thu, 19 Oct 2017 12:51:10 +0000 (20:51 +0800)
committer	Brian Maly <brian.maly@oracle.com>
	Tue, 12 Jun 2018 21:13:10 +0000 (17:13 -0400)
commit	38337224b4fbd531e251524e8ce9d6061aa5df78
tree	4b53df82f24a901e47d4d0f4ee5a75f62fdaec75	tree
parent	48c2d5f5e2580c9550db8ea4b433cf478925487e	commit \| diff

ipsec: Fix aborted xfrm policy dump crash

An independent security researcher, Mohamed Ghannam, has reported
this vulnerability to Beyond Security's SecuriTeam Secure Disclosure
program.

The xfrm_dump_policy_done function expects xfrm_dump_policy to
have been called at least once or it will crash. This can be
triggered if a dump fails because the target socket's receive
buffer is full.

This patch fixes it by using the cb->start mechanism to ensure that
the initialisation is always done regardless of the buffer situation.

Fixes: 12a169e7d8f4 ("ipsec: Put dumpers on the dump list")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
(cherry picked from commit 1137b5e2529a8f5ca8ee709288ecba3e68044df2)

Orabug: 27169581
CVE: CVE-2017-16939

Reviewed-by: Shannon Nelson <shannon.nelson@oracle.com>
Signed-off-by: Allen Pais <allen.pais@oracle.com>
Signed-off-by: Brian Maly <brian.maly@oracle.com>