Please sign in to comment.
xfrm_user: return error pointer instead of NULL
When dump_one_state() returns an error, e.g. because of a too small buffer to dump the whole xfrm state, xfrm_state_netlink() returns NULL instead of an error pointer. But its callers expect an error pointer and therefore continue to operate on a NULL skbuff. This could lead to a privilege escalation (execution of user code in kernel context) if the attacker has CAP_NET_ADMIN and is able to map address 0. Signed-off-by: Mathias Krause <email@example.com> Acked-by: Steffen Klassert <firstname.lastname@example.org> Signed-off-by: David S. Miller <email@example.com>
- Loading branch information...