xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
commit
f843ee6dd019bcece3e74e76ad9df0155655d0df upstream.
Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
wrapping issues. To ensure we are correctly ensuring that the two ESN
structures are the same size compare both the overall size as reported
by xfrm_replay_state_esn_len() and the internal length are the same.
CVE-2017-7184
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
[sw0312.kim: cherry-pick from linux-3.10.y to fix CVE-2017-7184]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: Ia0f63f41e960c8f6cf2efd9ebab8b702363a81f9
projects / profile / mobile / platform / kernel / linux-3.10-sc7730.git / commit