diff options
author | Sabrina Dubroca <sd@queasysnail.net> | 2022-07-22 11:16:27 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2022-08-03 12:03:50 +0200 |
commit | 8991687d3bcf6b031b5679d7bc6dfaad68e6dcc4 (patch) | |
tree | b9ae57a90f0158a7e43b84458c16e69aacfef677 | |
parent | 830582c16be1ce0c8fa489d8973871587da617c9 (diff) |
macsec: fix NULL deref in macsec_add_rxsa
[ Upstream commit f46040eeaf2e523a4096199fd93a11e794818009 ]
Commit 48ef50fa866a added a test on tb_sa[MACSEC_SA_ATTR_PN], but
nothing guarantees that it's not NULL at this point. The same code was
added to macsec_add_txsa, but there it's not a problem because
validate_add_txsa checks that the MACSEC_SA_ATTR_PN attribute is
present.
Note: it's not possible to reproduce with iproute, because iproute
doesn't allow creating an SA without specifying the PN.
Fixes: 48ef50fa866a ("macsec: Netlink support of XPN cipher suites (IEEE 802.1AEbw)")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=208315
Reported-by: Frantisek Sumsal <fsumsal@redhat.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-rw-r--r-- | drivers/net/macsec.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c index e53b40359fd1..f72d4380374d 100644 --- a/drivers/net/macsec.c +++ b/drivers/net/macsec.c @@ -1751,7 +1751,8 @@ static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info) } pn_len = secy->xpn ? MACSEC_XPN_PN_LEN : MACSEC_DEFAULT_PN_LEN; - if (nla_len(tb_sa[MACSEC_SA_ATTR_PN]) != pn_len) { + if (tb_sa[MACSEC_SA_ATTR_PN] && + nla_len(tb_sa[MACSEC_SA_ATTR_PN]) != pn_len) { pr_notice("macsec: nl: add_rxsa: bad pn length: %d != %d\n", nla_len(tb_sa[MACSEC_SA_ATTR_PN]), pn_len); rtnl_unlock(); |