xfrm: Reject excessive values for XFRMA_TFCPAD

author David Ahern <dahern@nvidia.com>

Wed, 13 May 2026 16:50:24 +0000 (10:50 -0600)

committer Steffen Klassert <steffen.klassert@secunet.com>

Thu, 14 May 2026 08:24:10 +0000 (10:24 +0200)
author David Ahern <dahern@nvidia.com>
Wed, 13 May 2026 16:50:24 +0000 (10:50 -0600)
committer Steffen Klassert <steffen.klassert@secunet.com>
Thu, 14 May 2026 08:24:10 +0000 (10:24 +0200)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c

index ae144d1e4a65cd72455a58170c9bcfd7f327b367..e87f33aaa99c01ebee70c1130c89eb82f0bcf47c 100644 (file)
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -937,8 +937,14 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
                                    attrs[XFRMA_ALG_COMP], extack)))
                 goto error;
  
-       if (attrs[XFRMA_TFCPAD])
+       if (attrs[XFRMA_TFCPAD]) {
                 x->tfcpad = nla_get_u32(attrs[XFRMA_TFCPAD]);
+               if (x->tfcpad > IP_MAX_MTU) {
+                       NL_SET_ERR_MSG(extack, "Excessive TFC padding");
+                       err = -EINVAL;
+                       goto error;
+               }
+       }
  
         xfrm_mark_get(attrs, &x->mark);
author	David Ahern <dahern@nvidia.com>
	Wed, 13 May 2026 16:50:24 +0000 (10:50 -0600)
committer	Steffen Klassert <steffen.klassert@secunet.com>
	Thu, 14 May 2026 08:24:10 +0000 (10:24 +0200)