Ignore:
Timestamp:
Apr 16, 2017, 3:07:01 PM (4 months ago)
Author:
brainslayer
Message:

update

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/linux/universal/linux-3.18/net/xfrm/xfrm_user.c

    r25370 r31869  
    387387        ulen = xfrm_replay_state_esn_len(up);
    388388
    389         if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
     389        /* Check the overall length and the internal bitmap length to avoid
     390         * potential overflow. */
     391        if (nla_len(rp) < ulen ||
     392            xfrm_replay_state_esn_len(replay_esn) != ulen ||
     393            replay_esn->bmp_len != up->bmp_len)
     394                return -EINVAL;
     395
     396        if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
    390397                return -EINVAL;
    391398
Note: See TracChangeset for help on using the changeset viewer.