linux/include
Sabrina Dubroca 9b3eb54106 xfrm: fix stack access out of bounds with CONFIG_XFRM_SUB_POLICY
When CONFIG_XFRM_SUB_POLICY=y, xfrm_dst stores a copy of the flowi for
that dst. Unfortunately, the code that allocates and fills this copy
doesn't care about what type of flowi (flowi, flowi4, flowi6) gets
passed. In multiple code paths (from raw_sendmsg, from TCP when
replying to a FIN, in vxlan, geneve, and gre), the flowi that gets
passed to xfrm is actually an on-stack flowi4, so we end up reading
stuff from the stack past the end of the flowi4 struct.

Since xfrm_dst->origin isn't used anywhere following commit
ca116922af ("xfrm: Eliminate "fl" and "pol" args to
xfrm_bundle_ok()."), just get rid of it.  xfrm_dst->partner isn't used
either, so get rid of that too.

Fixes: 9d6ec93801 ("ipv4: Use flowi4 in public route lookup interfaces.")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2017-05-04 07:30:59 +02:00
..
acpi Generic device properties framework updates for v4.12-rc1 2017-05-01 14:18:05 -07:00
asm-generic Merge branch 'x86-mm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-05-01 23:54:56 -07:00
clocksource clocksource: arm_arch_timer: add structs to describe MMIO timer 2017-04-19 16:11:48 +01:00
crypto Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2017-05-02 15:53:46 -07:00
drm drm/ttm, drm/vmwgfx: Relax permission checking when opening surfaces 2017-03-30 11:43:39 +02:00
dt-bindings This is the bulk of pin control changes for the v4.12 cycle: 2017-05-02 17:59:33 -07:00
keys KEYS: Differentiate uses of rcu_dereference_key() and user_key_payload() 2017-03-02 10:09:00 +11:00
kvm KVM: arm64: Ensure LRs are clear when they should be 2017-04-04 14:33:58 +02:00
linux xdp: use common helper for netlink extended ack reporting 2017-05-03 09:51:24 -04:00
math-emu
media media fixes for v4.11-rc2 2017-03-09 15:50:56 -08:00
memory
misc
net xfrm: fix stack access out of bounds with CONFIG_XFRM_SUB_POLICY 2017-05-04 07:30:59 +02:00
pcmcia
ras
rdma Merge branch 'parisc-4.11-3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux into uaccess.parisc 2017-04-02 10:33:48 -04:00
rxrpc
scsi scsi: introduce a result field in struct scsi_request 2017-04-20 12:16:10 -06:00
soc soc/qman: add macros needed by caam/qi driver 2017-03-24 22:02:58 +08:00
sound sched/headers: Prepare to remove spurious <linux/sched.h> inclusion dependencies 2017-03-02 08:42:41 +01:00
target target: Fix ALUA transition state race between multiple initiators 2017-03-30 23:12:40 -07:00
trace Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-05-02 16:40:27 -07:00
uapi Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2017-05-03 10:11:26 -04:00
video Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2017-05-02 15:53:46 -07:00
xen Merge branch 'x86-boot-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-05-01 20:51:12 -07:00
Kbuild