| From aa81700cf2326e288c9ca1fe7b544039617f1fc2 Mon Sep 17 00:00:00 2001 |
| From: Davide Caratti <dcaratti@redhat.com> |
| Date: Mon, 6 Apr 2020 11:38:29 +0200 |
| Subject: macsec: fix NULL dereference in macsec_upd_offload() |
| |
| macsec_upd_offload() gets the value of MACSEC_OFFLOAD_ATTR_TYPE |
| without checking its presence in the request message, and this causes |
| a NULL dereference. Fix it rejecting any configuration that does not |
| include this attribute. |
| |
| Reported-and-tested-by: syzbot+7022ab7c383875c17eff@syzkaller.appspotmail.com |
| Fixes: dcb780fb2795 ("net: macsec: add nla support for changing the offloading selection") |
| Signed-off-by: Davide Caratti <dcaratti@redhat.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| --- |
| drivers/net/macsec.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c |
| index da82d7f16a09d..0d580d81d910f 100644 |
| --- a/drivers/net/macsec.c |
| +++ b/drivers/net/macsec.c |
| @@ -2594,6 +2594,9 @@ static int macsec_upd_offload(struct sk_buff *skb, struct genl_info *info) |
| return PTR_ERR(dev); |
| macsec = macsec_priv(dev); |
| |
| + if (!tb_offload[MACSEC_OFFLOAD_ATTR_TYPE]) |
| + return -EINVAL; |
| + |
| offload = nla_get_u8(tb_offload[MACSEC_OFFLOAD_ATTR_TYPE]); |
| if (macsec->offload == offload) |
| return 0; |
| -- |
| cgit 1.2.3-1.el7 |
| |