From: Thomas Walpuski <thomas@bender.thinknerd.de>
To: davem@nuts.ninka.net, kuznet@ms2.inr.ac.ru
Cc: linux-kernel@vger.kernel.org
Subject: bugfix for xfrm user interface
Date: Mon, 27 Jan 2003 23:40:56 +0100 [thread overview]
Message-ID: <20030127224056.GA317@server2.h07.org> (raw)
By playing around with the xfrm user interface I found two bugs.
The xfrm user interface does not transmit authentication and/or
encryption keys, when it is asked for via netlink-sockets. IMO the keys
should be transmitted at least for debugging purpose.
ATM it's impossible to make the kernel dump all security policies via
netlink-sockets due to a semantic error in xfrm_user_rcv_msg().
The following patch fixes both issues:
--- /usr/src/linux/net/ipv4/xfrm_user.c.orig 2003-01-16 19:44:49.000000000 +0100
+++ /usr/src/linux/net/ipv4/xfrm_user.c 2003-01-16 20:41:54.000000000 +0100
@@ -276,9 +276,11 @@
copy_to_user_state(x, p);
if (x->aalg)
- RTA_PUT(skb, XFRMA_ALG_AUTH, sizeof(*(x->aalg)), x->aalg);
+ RTA_PUT(skb, XFRMA_ALG_AUTH,
+ sizeof(*(x->aalg))+(x->aalg->alg_key_len+7)/8, x->aalg);
if (x->ealg)
- RTA_PUT(skb, XFRMA_ALG_CRYPT, sizeof(*(x->ealg)), x->ealg);
+ RTA_PUT(skb, XFRMA_ALG_CRYPT,
+ sizeof(*(x->ealg))+(x->ealg->alg_key_len+7)/8, x->ealg);
if (x->calg)
RTA_PUT(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg);
@@ -655,6 +657,7 @@
info.in_skb = cb->skb;
info.out_skb = skb;
info.nlmsg_seq = cb->nlh->nlmsg_seq;
+ info.this_idx = 0;
info.start_idx = cb->args[0];
(void) xfrm_policy_walk(dump_one_policy, &info);
cb->args[0] = info.this_idx;
@@ -752,7 +755,7 @@
{
struct rtattr *xfrma[XFRMA_MAX];
struct xfrm_link *link;
- int type, min_len, kind;
+ int type, min_len;
if (!(nlh->nlmsg_flags & NLM_F_REQUEST))
return 0;
@@ -768,7 +771,6 @@
goto err_einval;
type -= XFRM_MSG_BASE;
- kind = (type & 3);
link = &xfrm_dispatch[type];
/* All operations require privileges, even GET */
@@ -777,7 +779,7 @@
return -1;
}
- if (kind == 2 && (nlh->nlmsg_flags & NLM_F_DUMP)) {
+ if ((type == 2 || type == 5) && (nlh->nlmsg_flags & NLM_F_DUMP)) {
u32 rlen;
if (link->dump == NULL)
BTW: I've done a port of isakmpd to Linux 2.5 which uses PFKEYv2-sockets
for sake of simplicity (read: because I'm lazy). The patch and tarballs
with prepatched sources can be found at http://bender.thinknerd.de/
~thomas/isakmpd-linux-2.5/. I've done some testing on 2.5.56 and it
seems to be quite stable (there have been no problems within one week
heavy usage).
next reply other threads:[~2003-01-27 22:32 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-27 22:40 Thomas Walpuski [this message]
2003-01-27 23:33 ` bugfix for xfrm user interface David S. Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030127224056.GA317@server2.h07.org \
--to=thomas@bender.thinknerd.de \
--cc=davem@nuts.ninka.net \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.