| developer | 7e32f7e | 2022-05-18 21:10:08 +0800 | [diff] [blame^] | 1 | From aa81700cf2326e288c9ca1fe7b544039617f1fc2 Mon Sep 17 00:00:00 2001 |
| 2 | From: Davide Caratti <dcaratti@redhat.com> |
| 3 | Date: Mon, 6 Apr 2020 11:38:29 +0200 |
| 4 | Subject: macsec: fix NULL dereference in macsec_upd_offload() |
| 5 | |
| 6 | macsec_upd_offload() gets the value of MACSEC_OFFLOAD_ATTR_TYPE |
| 7 | without checking its presence in the request message, and this causes |
| 8 | a NULL dereference. Fix it rejecting any configuration that does not |
| 9 | include this attribute. |
| 10 | |
| 11 | Reported-and-tested-by: syzbot+7022ab7c383875c17eff@syzkaller.appspotmail.com |
| 12 | Fixes: dcb780fb2795 ("net: macsec: add nla support for changing the offloading selection") |
| 13 | Signed-off-by: Davide Caratti <dcaratti@redhat.com> |
| 14 | Signed-off-by: David S. Miller <davem@davemloft.net> |
| 15 | --- |
| 16 | drivers/net/macsec.c | 3 +++ |
| 17 | 1 file changed, 3 insertions(+) |
| 18 | |
| 19 | diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c |
| 20 | index da82d7f16a09d..0d580d81d910f 100644 |
| 21 | --- a/drivers/net/macsec.c |
| 22 | +++ b/drivers/net/macsec.c |
| 23 | @@ -2594,6 +2594,9 @@ static int macsec_upd_offload(struct sk_buff *skb, struct genl_info *info) |
| 24 | return PTR_ERR(dev); |
| 25 | macsec = macsec_priv(dev); |
| 26 | |
| 27 | + if (!tb_offload[MACSEC_OFFLOAD_ATTR_TYPE]) |
| 28 | + return -EINVAL; |
| 29 | + |
| 30 | offload = nla_get_u8(tb_offload[MACSEC_OFFLOAD_ATTR_TYPE]); |
| 31 | if (macsec->offload == offload) |
| 32 | return 0; |
| 33 | -- |
| 34 | cgit 1.2.3-1.el7 |
| 35 | |