[PATCH 0/2] xfrm: fix buffer overflows
Thomas Haller
thaller at redhat.com
Sat Jun 25 05:02:22 PDT 2016
On Tue, 2016-05-31 at 17:29 +0200, Thomas Egerer wrote:
> Hi *,
>
> we have found one definite and one potential buffer overflow
> in libnl when adding xfrm states.
> The definite one is triggered whenever an aead/auth (etc) key
> is added to an xfrmnl_sa structure. The potential one is only
> triggered if the same functions are called with alg_names
> longer than 72/68 bytes + keysize. Then a strcpy call writes
> beyond the appropriate data structures in struct xfrmnl_sa.
>
> Cheers,
> Thomas
>
> Thomas Egerer (2):
> xfrm: fix buffer overflow when copying keys
> xfrm: check length of alg_name before strcpying it
>
Hi Thomas,
thanks for the 2 patches. Merged both to master:
https://github.com/thom311/libnl/commit/c009b20919562e6968969309049064d59d35010a
xfrmnl_sa_get_comp_params() et al. seems wrong too.
How can somebody safely know the required size of the @key buffer?
The required size for @alg_name is also not documented, so a user would
have to read the source to see that it must be >= 64 bytes (and then
trust, that we won't break that -- which we indeed would not).
that is todo.
Thanks,
Thomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.infradead.org/pipermail/libnl/attachments/20160625/b5a721f8/attachment.sig>
More information about the libnl
mailing list