From: Thomas Walpuski <thomas@bender.thinknerd.de>
To: davem@nuts.ninka.net, kuznet@ms2.inr.ac.ru
Cc: linux-kernel@vger.kernel.org
Subject: bugfix for xfrm user interface
Date: Mon, 27 Jan 2003 23:40:56 +0100 [thread overview]
Message-ID: <20030127224056.GA317@server2.h07.org> (raw)
By playing around with the xfrm user interface I found two bugs.
The xfrm user interface does not transmit authentication and/or
encryption keys, when it is asked for via netlink-sockets. IMO the keys
should be transmitted at least for debugging purpose.
ATM it's impossible to make the kernel dump all security policies via
netlink-sockets due to a semantic error in xfrm_user_rcv_msg().
The following patch fixes both issues:
--- /usr/src/linux/net/ipv4/xfrm_user.c.orig 2003-01-16 19:44:49.000000000 +0100
+++ /usr/src/linux/net/ipv4/xfrm_user.c 2003-01-16 20:41:54.000000000 +0100
@@ -276,9 +276,11 @@
copy_to_user_state(x, p);
if (x->aalg)
- RTA_PUT(skb, XFRMA_ALG_AUTH, sizeof(*(x->aalg)), x->aalg);
+ RTA_PUT(skb, XFRMA_ALG_AUTH,
+ sizeof(*(x->aalg))+(x->aalg->alg_key_len+7)/8, x->aalg);
if (x->ealg)
- RTA_PUT(skb, XFRMA_ALG_CRYPT, sizeof(*(x->ealg)), x->ealg);
+ RTA_PUT(skb, XFRMA_ALG_CRYPT,
+ sizeof(*(x->ealg))+(x->ealg->alg_key_len+7)/8, x->ealg);
if (x->calg)
RTA_PUT(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg);
@@ -655,6 +657,7 @@
info.in_skb = cb->skb;
info.out_skb = skb;
info.nlmsg_seq = cb->nlh->nlmsg_seq;
+ info.this_idx = 0;
info.start_idx = cb->args[0];
(void) xfrm_policy_walk(dump_one_policy, &info);
cb->args[0] = info.this_idx;
@@ -752,7 +755,7 @@
{
struct rtattr *xfrma[XFRMA_MAX];
struct xfrm_link *link;
- int type, min_len, kind;
+ int type, min_len;
if (!(nlh->nlmsg_flags & NLM_F_REQUEST))
return 0;
@@ -768,7 +771,6 @@
goto err_einval;
type -= XFRM_MSG_BASE;
- kind = (type & 3);
link = &xfrm_dispatch[type];
/* All operations require privileges, even GET */
@@ -777,7 +779,7 @@
return -1;
}
- if (kind == 2 && (nlh->nlmsg_flags & NLM_F_DUMP)) {
+ if ((type == 2 || type == 5) && (nlh->nlmsg_flags & NLM_F_DUMP)) {
u32 rlen;
if (link->dump == NULL)
BTW: I've done a port of isakmpd to Linux 2.5 which uses PFKEYv2-sockets
for sake of simplicity (read: because I'm lazy). The patch and tarballs
with prepatched sources can be found at http://bender.thinknerd.de/
~thomas/isakmpd-linux-2.5/. I've done some testing on 2.5.56 and it
seems to be quite stable (there have been no problems within one week
heavy usage).
next reply other threads:[~2003-01-27 22:32 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-27 22:40 Thomas Walpuski [this message]
2003-01-27 23:33 ` bugfix for xfrm user interface David S. Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030127224056.GA317@server2.h07.org \
--to=thomas@bender.thinknerd.de \
--cc=davem@nuts.ninka.net \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox