]> git.saurik.com Git - apple/xnu.git/blobdiff - bsd/netkey/key.c
projects / apple / xnu.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
xnu-4903.241.1.tar.gz
[apple/xnu.git] / bsd / netkey / key.c
diff --git a/bsd/netkey/key.c b/bsd/netkey/key.c
index f373441d06af49b7a008b0a933660f71d06041a3..1e4b998110f07f9943fc4fa515cabcd554e25d6e 100644 (file)
--- a/bsd/netkey/key.c
+++ b/bsd/netkey/key.c
@@ -7898,6 +7898,7 @@ static int
 key_getsastatbyspi (struct sastat *stat_arg,
                                        u_int32_t      max_stat_arg,
                                        struct sastat *stat_res,
+                                       u_int32_t      stat_res_size,
                                        u_int32_t     *max_stat_res)
 {
        int cur, found = 0;
@@ -7907,8 +7908,11 @@ key_getsastatbyspi (struct sastat *stat_arg,
            max_stat_res == NULL) {
                return -1;
        }
+
+       u_int32_t max_stats = stat_res_size / (sizeof(struct sastat));
+       max_stats = ((max_stat_arg <= max_stats) ? max_stat_arg : max_stats);
        
-       for (cur = 0; cur < max_stat_arg; cur++) {
+       for (cur = 0; cur < max_stats; cur++) {
                if (key_getsastatbyspi_one(stat_arg[cur].spi,
                                                                   &stat_res[found]) == 0) {
                        found++;
@@ -9863,6 +9867,15 @@ key_validate_ext(
                                return EINVAL;
                        break;
        }
+
+       /* check key bits length */
+       if (ext->sadb_ext_type == SADB_EXT_KEY_AUTH ||
+           ext->sadb_ext_type == SADB_EXT_KEY_ENCRYPT) {
+               struct sadb_key *key = (struct sadb_key *)(uintptr_t)ext;
+               if (len < (sizeof(struct sadb_key) + _KEYLEN(key))) {
+                       return EINVAL;
+               }
+       }
        
        return 0;
 }
@@ -10168,6 +10181,7 @@ key_getsastat (struct socket *so,
        if (key_getsastatbyspi((struct sastat *)(sa_stats_arg + 1),
                                                   arg_count,
                                                   sa_stats_sav,
+                                                  bufsize,
                                                   &res_count)) {
                printf("%s: Error finding SAs.\n", __FUNCTION__);
                error = ENOENT;
mirror of XNU