ipsec: Fix aborted xfrm policy dump crash
commit
1137b5e2529a8f5ca8ee709288ecba3e68044df2 upstream.
This is a fix for CVE-2017-16939 suitable for older stable branches.
The upstream fix is commit
1137b5e2529a8f5ca8ee709288ecba3e68044df2,
from which the following explanation is taken:
An independent security researcher, Mohamed Ghannam, has reported
this vulnerability to Beyond Security's SecuriTeam Secure Disclosure
program.
The xfrm_dump_policy_done function expects xfrm_dump_policy to
have been called at least once or it will crash. This can be
triggered if a dump fails because the target socket's receive
buffer is full.
It was not possible to define a 'start' callback for netlink dumps
until Linux 4.5, so instead add a check for the initialisation flag in
the 'done' callback.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
git.openpandora.org / pandora-kernel.git / commit