Browse files

xfrm_user: return error pointer instead of NULL

When dump_one_state() returns an error, e.g. because of a too small
buffer to dump the whole xfrm state, xfrm_state_netlink() returns NULL
instead of an error pointer. But its callers expect an error pointer
and therefore continue to operate on a NULL skbuff.

This could lead to a privilege escalation (execution of user code in
kernel context) if the attacker has CAP_NET_ADMIN and is able to map
address 0.

Signed-off-by: Mathias Krause <>
Acked-by: Steffen Klassert <>
Signed-off-by: David S. Miller <>
  • Loading branch information...
1 parent 2c20cbd commit 864745d291b5ba80ea0bd0edcbe67273de368836 @minipli minipli committed with davem330 Sep 13, 2012
Showing with 4 additions and 2 deletions.
  1. +4 −2 net/xfrm/xfrm_user.c
@@ -878,6 +878,7 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
struct xfrm_dump_info info;
struct sk_buff *skb;
+ int err;
if (!skb)
@@ -888,9 +889,10 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
info.nlmsg_seq = seq;
info.nlmsg_flags = 0;
- if (dump_one_state(x, 0, &info)) {
+ err = dump_one_state(x, 0, &info);
+ if (err) {
- return NULL;
+ return ERR_PTR(err);
return skb;

0 comments on commit 864745d

Please sign in to comment.