svn commit: r312546 - projects/ipsec/sys/netipsec
Andrey V. Elsukov
ae at FreeBSD.org
Fri Jan 20 17:28:53 UTC 2017
Author: ae
Date: Fri Jan 20 17:28:52 2017
New Revision: 312546
URL: https://svnweb.freebsd.org/changeset/base/312546
Log:
Check sadb_sa_flags received from userland for correctness and
report back only supported flags (they are defined in pfkeyv2.h).
Modified:
projects/ipsec/sys/netipsec/key.c
Modified: projects/ipsec/sys/netipsec/key.c
==============================================================================
--- projects/ipsec/sys/netipsec/key.c Fri Jan 20 17:20:59 2017 (r312545)
+++ projects/ipsec/sys/netipsec/key.c Fri Jan 20 17:28:52 2017 (r312546)
@@ -3108,6 +3108,13 @@ key_setsaval(struct secasvar *sav, const
sav->alg_auth = sa0->sadb_sa_auth;
sav->alg_enc = sa0->sadb_sa_encrypt;
sav->flags = sa0->sadb_sa_flags;
+ if ((sav->flags & SADB_KEY_FLAGS_MAX) != sav->flags) {
+ ipseclog((LOG_DEBUG,
+ "%s: invalid sa_flags 0x%08x.\n", __func__,
+ sav->flags));
+ error = EINVAL;
+ goto fail;
+ }
/* Optional replay window */
replay = 0;
@@ -3608,9 +3615,8 @@ key_setsadbsa(struct secasvar *sav)
p->sadb_sa_state = sav->state;
p->sadb_sa_auth = sav->alg_auth;
p->sadb_sa_encrypt = sav->alg_enc;
- p->sadb_sa_flags = sav->flags;
-
- return m;
+ p->sadb_sa_flags = sav->flags & SADB_KEY_FLAGS_MAX;
+ return (m);
}
/*
More information about the svn-src-projects
mailing list