ANDROID: check dir value of xfrm_userpolicy_id

Check user provided dir value to prevent out-of-bound access
which may occur if dir is not less than XFRM_POLICY_MAX.

(url: http://seclists.org/bugtraq/2017/Jul/30)

Bug: 64257838
Signed-off-by: Suren Baghdasaryan <[email protected]>
Change-Id: I5bbdf95e14a61bdf5207977d9a5a4465bc848da0
Signed-off-by: Francisco Franco <[email protected]>

net/xfrm/xfrm_user.c

@@ -1559,6 +1559,10 @@ static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb,
 	struct sk_buff *skb;
 	int err;
 
+	err = verify_policy_dir(dir);
+	if (err)
+		return ERR_PTR(err);
+
 	skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
 	if (!skb)
 		return ERR_PTR(-ENOMEM);
@@ -2092,6 +2096,10 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh,
 	int err;
 	int n = 0;
 
+	err = verify_policy_dir(pi->dir);
+	if (err)
+		return err;
+
 	if (attrs[XFRMA_MIGRATE] == NULL)
 		return -EINVAL;
 
@@ -2202,6 +2210,11 @@ static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
 {
 	struct net *net = &init_net;
 	struct sk_buff *skb;
+	int err;
+
+	err = verify_policy_dir(dir);
+	if (err)
+		return err;
 
 	skb = nlmsg_new(xfrm_migrate_msgsize(num_migrate, !!k), GFP_ATOMIC);
 	if (skb == NULL)
@@ -2827,6 +2840,11 @@ static int xfrm_notify_policy_flush(const struct km_event *c)
 
 static int xfrm_send_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c)
 {
+	int err;
+
+	err = verify_policy_dir(dir);
+	if (err)
+		return err;
 
 	switch (c->event) {
 	case XFRM_MSG_NEWPOLICY: