From: Steffen Klassert <steffen.klassert@secunet.com>
To: David Miller <davem@davemloft.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
Steffen Klassert <steffen.klassert@secunet.com>,
netdev@vger.kernel.org
Subject: [PATCH 6/8] xfrm: check user specified spi for IPComp
Date: Thu, 19 Dec 2013 07:36:43 +0100 [thread overview]
Message-ID: <1387435005-8987-7-git-send-email-steffen.klassert@secunet.com> (raw)
In-Reply-To: <1387435005-8987-1-git-send-email-steffen.klassert@secunet.com>
From: Fan Du <fan.du@windriver.com>
IPComp connection between two hosts is broken if given spi bigger
than 0xffff.
OUTSPI=0x87
INSPI=0x11112
ip xfrm policy update dst 192.168.1.101 src 192.168.1.109 dir out action allow \
tmpl dst 192.168.1.101 src 192.168.1.109 proto comp spi $OUTSPI
ip xfrm policy update src 192.168.1.101 dst 192.168.1.109 dir in action allow \
tmpl src 192.168.1.101 dst 192.168.1.109 proto comp spi $INSPI
ip xfrm state add src 192.168.1.101 dst 192.168.1.109 proto comp spi $INSPI \
comp deflate
ip xfrm state add dst 192.168.1.101 src 192.168.1.109 proto comp spi $OUTSPI \
comp deflate
tcpdump can capture outbound ping packet, but inbound packet is
dropped with XfrmOutNoStates errors. It looks like spi value used
for IPComp is expected to be 16bits wide only.
Signed-off-by: Fan Du <fan.du@windriver.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/xfrm/xfrm_user.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 16c8460..4027c42 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -181,7 +181,9 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
attrs[XFRMA_ALG_AEAD] ||
attrs[XFRMA_ALG_CRYPT] ||
attrs[XFRMA_ALG_COMP] ||
- attrs[XFRMA_TFCPAD])
+ attrs[XFRMA_TFCPAD] ||
+ (ntohl(p->id.spi) >= 0x10000))
+
goto out;
break;
--
1.7.9.5
next prev parent reply other threads:[~2013-12-19 6:37 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-19 6:36 pull request (net-next): ipsec-next 2013-12-19 Steffen Klassert
2013-12-19 6:36 ` [PATCH 1/8] xfrm: Try to honor policy index if it's supplied by user Steffen Klassert
2013-12-19 6:36 ` [PATCH 2/8] xfrm: Using the right namespace to migrate key info Steffen Klassert
2013-12-19 6:36 ` [PATCH 3/8] xfrm: Namespacify xfrm state/policy locks Steffen Klassert
2013-12-19 6:36 ` [PATCH 4/8] xfrm: Remove ancient sleeping when the SA is in acquire state Steffen Klassert
2013-12-19 6:36 ` [PATCH 5/8] net: Remove FLOWI_FLAG_CAN_SLEEP Steffen Klassert
2013-12-19 6:36 ` Steffen Klassert [this message]
2013-12-19 6:36 ` [PATCH 7/8] xfrm: export verify_userspi_info for pkfey and netlink interface Steffen Klassert
2013-12-19 6:36 ` [PATCH 8/8] xfrm: Add file to document IPsec corner case Steffen Klassert
2013-12-19 23:38 ` pull request (net-next): ipsec-next 2013-12-19 David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1387435005-8987-7-git-send-email-steffen.klassert@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).