af_key: fix buffer overread in verify_address_len()

[pandora-kernel.git] / net / key / af_key.c

diff --git a/net/key/af_key.c b/net/key/af_key.c
index c839f2d..315d4d7 100644 (file)
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -398,6 +398,11 @@ static int verify_address_len(const void *p)
 #endif
        int len;
 
+       if (sp->sadb_address_len <
+           DIV_ROUND_UP(sizeof(*sp) + offsetofend(typeof(*addr), sa_family),
+                        sizeof(uint64_t)))
+               return -EINVAL;
+
        switch (addr->sa_family) {
        case AF_INET:
                len = DIV_ROUND_UP(sizeof(*sp) + sizeof(*sin), sizeof(uint64_t));