bugfix for xfrm user interface

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* bugfix for xfrm user interface
@ 2003-01-27 22:40 Thomas Walpuski
  2003-01-27 23:33 ` David S. Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Thomas Walpuski @ 2003-01-27 22:40 UTC (permalink / raw)
  To: davem, kuznet; +Cc: linux-kernel

By playing around with the xfrm user interface I found two bugs.

The xfrm user interface does not transmit authentication and/or
encryption keys, when it is asked for via netlink-sockets. IMO the keys
should be transmitted at least for debugging purpose.

ATM it's impossible to make the kernel dump all security policies via
netlink-sockets due to a semantic error in xfrm_user_rcv_msg().

The following patch fixes both issues:

--- /usr/src/linux/net/ipv4/xfrm_user.c.orig	2003-01-16 19:44:49.000000000 +0100
+++ /usr/src/linux/net/ipv4/xfrm_user.c	2003-01-16 20:41:54.000000000 +0100
@@ -276,9 +276,11 @@
 	copy_to_user_state(x, p);

 	if (x->aalg)
-		RTA_PUT(skb, XFRMA_ALG_AUTH, sizeof(*(x->aalg)), x->aalg);
+		RTA_PUT(skb, XFRMA_ALG_AUTH,
+			sizeof(*(x->aalg))+(x->aalg->alg_key_len+7)/8, x->aalg);
 	if (x->ealg)
-		RTA_PUT(skb, XFRMA_ALG_CRYPT, sizeof(*(x->ealg)), x->ealg);
+		RTA_PUT(skb, XFRMA_ALG_CRYPT,
+			sizeof(*(x->ealg))+(x->ealg->alg_key_len+7)/8, x->ealg);
 	if (x->calg)
 		RTA_PUT(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg);

@@ -655,6 +657,7 @@
 	info.in_skb = cb->skb;
 	info.out_skb = skb;
 	info.nlmsg_seq = cb->nlh->nlmsg_seq;
+	info.this_idx = 0;
 	info.start_idx = cb->args[0];
 	(void) xfrm_policy_walk(dump_one_policy, &info);
 	cb->args[0] = info.this_idx;
@@ -752,7 +755,7 @@
 {
 	struct rtattr *xfrma[XFRMA_MAX];
 	struct xfrm_link *link;
-	int type, min_len, kind;
+	int type, min_len;

 	if (!(nlh->nlmsg_flags & NLM_F_REQUEST))
 		return 0;
@@ -768,7 +771,6 @@
 		goto err_einval;

 	type -= XFRM_MSG_BASE;
-	kind = (type & 3);
 	link = &xfrm_dispatch[type];

 	/* All operations require privileges, even GET */
@@ -777,7 +779,7 @@
 		return -1;
 	}

-	if (kind == 2 && (nlh->nlmsg_flags & NLM_F_DUMP)) {
+	if ((type == 2 || type == 5) && (nlh->nlmsg_flags & NLM_F_DUMP)) {
 		u32 rlen;

 		if (link->dump == NULL)

BTW: I've done a port of isakmpd to Linux 2.5 which uses PFKEYv2-sockets
for sake of simplicity (read: because I'm lazy). The patch and tarballs
with prepatched sources can be found at http://bender.thinknerd.de/
~thomas/isakmpd-linux-2.5/. I've done some testing on 2.5.56 and it
seems to be quite stable (there have been no problems within one week
heavy usage).

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: bugfix for xfrm user interface
  2003-01-27 22:40 bugfix for xfrm user interface Thomas Walpuski
@ 2003-01-27 23:33 ` David S. Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David S. Miller @ 2003-01-27 23:33 UTC (permalink / raw)
  To: Thomas Walpuski; +Cc: davem, Alexey N. Kuznetsov, linux-kernel

On Mon, 2003-01-27 at 14:40, Thomas Walpuski wrote:
> By playing around with the xfrm user interface I found two bugs.

Thomas, I already applied your patch.

Didn't I send you an ACK of this?  I was sure I did. :-)


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2003-01-27 22:44 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-01-27 22:40 bugfix for xfrm user interface Thomas Walpuski
2003-01-27 23:33 ` David S. Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox