From: Wei Yongjun <yjwei@cn.fujitsu.com>
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org, steffen.klassert@secunet.com
Subject: Re: xfrm: Fix initialize repl field of struct xfrm_state
Date: Mon, 21 Mar 2011 14:36:45 +0800 [thread overview]
Message-ID: <4D86F1FD.3080009@cn.fujitsu.com> (raw)
In-Reply-To: <20110320.225542.71119753.davem@davemloft.net>
> From: Wei Yongjun <yjwei@cn.fujitsu.com>
> Date: Mon, 21 Mar 2011 13:45:39 +0800
>
>> Commit 'xfrm: Move IPsec replay detection functions to a separate file'
>> (9fdc4883d92d20842c5acea77a4a21bb1574b495)
>> introduce repl field to struct xfrm_state, and only initialize it
>> under SA's netlink create path, the other path, such as pf_key, the
>> repl field remaining uninitialize. So if the SA is created by pf_key,
>> any input packet with SA's encryption algorithm will cause panic.
> Please, either add an xfrm_init_replay() call to the appropriate spot
> in net/key/af_key.c or, if possible, only have the one call in
> xfrm_init_state(). Don't leave two calls, one in xfrm_user.c and one
> in xfrm_state.c
>
> Anyways, I don't think just making one call from xfrm_init_state() is
> possible, because the replay settings need to be assigned before we
> can properly call xfrm_init_replay().
>
> Therefore, please fix this by adding the necessary call to af_key.c
Sorry for not said clearly, at the first time I want to do like this.
But when I grep 'xfrm_init_state', it be used in many place, not
any pf_key, but also XFRM MIGRATE, ipcomp, ipcomp6. So I did this ugly
patch by add this to xfrm_init_state() to avoid dup code.
Not sure whether the other case like ipcomp/ipcomp6 etc can cause panic, if
it panic, maybe we can fix by introduce new xfrm_init_replay() function
like to assign the default reply function.
int xfrm_init_replay(struct xfrm_state *x)
{
x->repl = &xfrm_replay_legacy;
return 0;
}
and change the orig xfrm_init_replay to xfrm_update_replay()?
Or dup those code to all used place?
If I was wrong, I will fix this by adding the necessary call to af_key.c.
Thanks.
> Thanks.
>
next prev parent reply other threads:[~2011-03-21 6:36 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-21 5:45 xfrm: Fix initialize repl field of struct xfrm_state Wei Yongjun
2011-03-21 5:48 ` [PATCH] " Wei Yongjun
2011-03-21 5:55 ` David Miller
2011-03-21 6:36 ` Wei Yongjun [this message]
2011-03-21 6:46 ` David Miller
2011-03-21 6:49 ` Wei Yongjun
2011-03-21 7:54 ` Steffen Klassert
2011-03-21 7:44 ` [PATCH v2] " Wei Yongjun
2011-03-21 8:00 ` David Miller
2011-03-21 8:01 ` David Miller
2011-03-21 8:37 ` [PATCH v3] " Wei Yongjun
2011-03-22 1:08 ` David Miller
2011-03-21 8:25 ` Steffen Klassert
2011-03-21 9:10 ` Wei Yongjun
2011-03-21 9:18 ` Wei Yongjun
2011-03-21 12:06 ` Steffen Klassert
2011-03-22 1:04 ` Wei Yongjun
2011-03-22 13:14 ` Steffen Klassert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D86F1FD.3080009@cn.fujitsu.com \
--to=yjwei@cn.fujitsu.com \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.