As found by syzbot, af_key does not properly validate the key length in sadb_key messages from userspace. This can result in copying from beyond the end of the sadb_key part of the message, or indeed beyond the end of the entire packet.
Kevin Easton (2): af_key: Use DIV_ROUND_UP() instead of open-coded equivalent af_key: Always verify length of provided sadb_key net/key/af_key.c | 58 ++++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 42 insertions(+), 16 deletions(-) -- 2.8.1
