Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp2141726imb;
        Sun, 3 Mar 2019 19:49:17 -0800 (PST)
X-Google-Smtp-Source: APXvYqyZBkWDiVR5EPiH7KyiuSsa4thyByRnavElc4VEpM6aY+M08XX39LERUGQiX2k/FPq5A0zO
X-Received: by 2002:a17:902:2f03:: with SMTP id s3mr17926090plb.277.1551671357162;
        Sun, 03 Mar 2019 19:49:17 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1551671357; cv=none;
        d=google.com; s=arc-20160816;
        b=X+kBezPqtRVXYL1g3jLZaqS047C5v1SdmOCnp3a1jBADOr6TpbfIHFCwuPT6XbUW4D
         LmKDTiPl9S78PLA4iIJ0w4n2yT+teUS0kUCpHfwZ/QDpN9BGxYcwYAnsFA9fTGPmVSev
         yMyLc6pmRxXw1borxLSMDaBMCHom/hH7ZAmdn7TieSBMRA9BXXSZPi7Dzj4RFOk8s2RV
         /t2mFjiDpkI3agYPze3DOy6OH5YVOalVo9tBfx/YwyeqK4nEz3qQ0T0OQG5AwLMEcPKP
         40b1YRKYxRWhQiKBegcOhpn0NvYIyH6noAIwMDCSR4MZonb6YYpCb9YIz+OLMTG4Zp4r
         Bt3g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:date:subject:cc
         :to:from;
        bh=CFjy49eIh8htAi0+97YXZ9/SjDPAuLfyYKRW9jrl+VI=;
        b=EDt6QuP87ORo6d81WzAjXBx7UqyivNZCpelXluBRtkyAokuYQ27510n+qBTsj3LaNr
         OrFTE9cQHVQGDYnHl+hxa6/NJZSvg2g25f7umQsm/R3twXA4zWSnRhv+4Mgq0ELucUjb
         9ERJW4fH5ZhM+m+Ax3klWK1BBQ0GgjesbuV7be1BBiateoFoiQcZglg+1pXfS8vfD48l
         /j3wiXT5Klgm3YJIKT8jQ8K2fkStM5kSb4F7rKZt6sDuqjbum5mtKERzuY6LQkrowC9l
         7tQFrLQG/Oz0ON8t+05o566SSLxf7zKfwZW+ND5Ij0G6tL13S2ri3c8WrA2nazllbNv1
         LsmQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 24si4357090pfr.253.2019.03.03.19.48.48;
        Sun, 03 Mar 2019 19:49:17 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726063AbfCDDsR (ORCPT <rfc822;xiaochao379261131@gmail.com>
        + 99 others); Sun, 3 Mar 2019 22:48:17 -0500
Received: from mail.cn.fujitsu.com ([183.91.158.132]:26786 "EHLO
        heian.cn.fujitsu.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
        with ESMTP id S1725938AbfCDDsQ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 3 Mar 2019 22:48:16 -0500
X-IronPort-AV: E=Sophos;i="5.58,438,1544457600"; 
   d="scan'208";a="55838131"
Received: from unknown (HELO cn.fujitsu.com) ([10.167.33.5])
  by heian.cn.fujitsu.com with ESMTP; 04 Mar 2019 11:48:14 +0800
Received: from G08CNEXCHPEKD03.g08.fujitsu.local (unknown [10.167.33.85])
        by cn.fujitsu.com (Postfix) with ESMTP id D2F1A46BA6D1;
        Mon,  4 Mar 2019 11:48:01 +0800 (CST)
Received: from ubuntu.g08.fujitsu.local (10.167.226.33) by
 G08CNEXCHPEKD03.g08.fujitsu.local (10.167.33.89) with Microsoft SMTP Server
 (TLS) id 14.3.408.0; Mon, 4 Mar 2019 11:48:16 +0800
From:   Su Yanjun <suyj.fnst@cn.fujitsu.com>
To:     <steffen.klassert@secunet.com>, <herbert@gondor.apana.org.au>,
        <davem@davemloft.net>, <netdev@vger.kernel.org>,
        <linux-kernel@vger.kernel.org>
CC:     <suyj.fnst@cn.fujitsu.com>
Subject: [PATCH] net: xfrm: Fix potential oops in xfrm_user_rcv_msg and array out of bounds
Date:   Sun, 3 Mar 2019 22:47:39 -0500
Message-ID: <1551671259-21311-1-git-send-email-suyj.fnst@cn.fujitsu.com>
X-Mailer: git-send-email 2.7.4
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.167.226.33]
X-yoursite-MailScanner-ID: D2F1A46BA6D1.AFAD6
X-yoursite-MailScanner: Found to be clean
X-yoursite-MailScanner-From: suyj.fnst@cn.fujitsu.com
X-Spam-Status: No
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

When i review xfrm_user.c code, i found some potentical bug in it.

In xfrm_user_rcvmsg if type parameter from user space is set to
XFRM_MSG_MAX or  XFRM_MSG_NEWSADINFO or XFRM_MSG_NEWSPDINFO. It will cause
xfrm_user_rcv_msg  referring to null entry in xfrm_dispatch array.

Signed-off-by: Su Yanjun <suyj.fnst@cn.fujitsu.com>
---
 net/xfrm/xfrm_user.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index a131f9f..d832783 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2630,11 +2630,13 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
 		return -EOPNOTSUPP;
 
 	type = nlh->nlmsg_type;
-	if (type > XFRM_MSG_MAX)
+	if (type >= XFRM_MSG_MAX)
 		return -EINVAL;
 
 	type -= XFRM_MSG_BASE;
 	link = &xfrm_dispatch[type];
+	if (!link)
+		return -EOPNOTSUPP;
 
 	/* All operations require privileges, even GET */
 	if (!netlink_net_capable(skb, CAP_NET_ADMIN))
-- 
2.7.4