[PATCH 0/2] xfrm: fix buffer overflows
Thomas Egerer
thomas.egerer at secunet.com
Tue May 31 08:29:53 PDT 2016
Hi *,
we have found one definite and one potential buffer overflow
in libnl when adding xfrm states.
The definite one is triggered whenever an aead/auth (etc) key
is added to an xfrmnl_sa structure. The potential one is only
triggered if the same functions are called with alg_names
longer than 72/68 bytes + keysize. Then a strcpy call writes
beyond the appropriate data structures in struct xfrmnl_sa.
Cheers,
Thomas
Thomas Egerer (2):
xfrm: fix buffer overflow when copying keys
xfrm: check length of alg_name before strcpying it
lib/xfrm/sa.c | 28 ++++++++++++++++------------
1 file changed, 16 insertions(+), 12 deletions(-)
--
2.6.4
More information about the libnl
mailing list