From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 51CBC23C504 for ; Tue, 13 May 2025 10:57:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747133854; cv=none; b=ctD1U5ETrtoEcHDf0Z2MaRH208xD5L+WwdcVJtYyhq9KjFZTpjJvIXbm7AtehREERl9R/YFuUsr6lrDRozeq1Vka04CD+ao8u8JnE7sV85pKOTwCakJtxu1W0KiMM+9cEVaYSODP2FKnuQzX/aBUr+vwAaePdjX3oMl2m1bL2I4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747133854; c=relaxed/simple; bh=WVzc09lW3BNHj+e7VPEzOxbXqk7hKEJMPrmnFMRkLc4=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=dsfKC6hreXTV+15KgXX0OojMLkb+AylOQoRzThQ10/kvhC/Q/1dgXrWN3VVM3yLZtS0KHUnt4glkP6vv3ymQE+VjhhMGMQNfXA8Bg5xwzaFkIsLO8iJ1AOkghUja9aXNh18MXh0KwgQaPq/ROlI4rREO68TxALcfulAxwwMzGHc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=KraKsEp1; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="KraKsEp1" Received: by smtp.kernel.org (Postfix) with ESMTPSA id B8CE6C4CEE4; Tue, 13 May 2025 10:57:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1747133853; bh=WVzc09lW3BNHj+e7VPEzOxbXqk7hKEJMPrmnFMRkLc4=; h=From:To:Cc:Subject:Date:From; b=KraKsEp1XxwLGQh58m0aFHqRssaCm2UgTSwbbkMfev3SuUq77FVpKgr+uSihAiPB+ 4kveUk4VmQ28IiOE5nyU2OGse0FDQm4+ZC8/dDs/uUr0cTrF5L8to8XvbhhrtpcP9p eAm4JQbBHZ0pSpqRwNCrJt/GO9jTzjrf7R5xrhGqeR7OHZTZ+kyY0r+gx7apjIc2+m FtjQtR0tjLrHJcKp7gRMDQt1U79Uqy4xw5HkMDg+sLgGgGSK5lLWbJEGOlS66DQb9L R/9DtTQuod0fRBtxk8HLROn/ROGlnwQXKWYdi3++DdqRbq5aXJ6MWf3pRz5lK2FIsK Ci8eks1MfNrNg== From: Leon Romanovsky To: Steffen Klassert Cc: Leon Romanovsky , "David S. Miller" , Eric Dumazet , Herbert Xu , Jakub Kicinski , netdev@vger.kernel.org, Paolo Abeni Subject: [PATCH ipsec-next] xfrm: validate assignment of maximal possible SEQ number Date: Tue, 13 May 2025 13:56:22 +0300 Message-ID: <956dde412bb3224a31bf89a3038b9d2c76890a42.1747133660.git.leon@kernel.org> X-Mailer: git-send-email 2.49.0 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Leon Romanovsky Users can set any seq/seq_hi/oseq/oseq_hi values. The XFRM core code doesn't prevent from them to set even 0xFFFFFFFF, however this value will cause for traffic drop. Is is happening because SEQ numbers here mean that packet with such number was processed and next number should be sent on the wire. In this case, the next number will be 0, and it means overflow which causes to (expected) packet drops. While it can be considered as misconfiguration and handled by XFRM datapath in the same manner as any other SEQ number, let's add validation to easy for packet offloads implementations which need to configure HW with next SEQ to send and not with current SEQ like it is done in core code. Signed-off-by: Leon Romanovsky --- net/xfrm/xfrm_user.c | 52 +++++++++++++++++++++++++++++++++++--------- 1 file changed, 42 insertions(+), 10 deletions(-) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 784a2d124749..614b58cb26ab 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -178,11 +178,27 @@ static inline int verify_replay(struct xfrm_usersa_info *p, "Replay seq and seq_hi should be 0 for output SA"); return -EINVAL; } - if (rs->oseq_hi && !(p->flags & XFRM_STATE_ESN)) { - NL_SET_ERR_MSG( - extack, - "Replay oseq_hi should be 0 in non-ESN mode for output SA"); - return -EINVAL; + + if (!(p->flags & XFRM_STATE_ESN)) { + if (rs->oseq_hi) { + NL_SET_ERR_MSG( + extack, + "Replay oseq_hi should be 0 in non-ESN mode for output SA"); + return -EINVAL; + } + if (rs->oseq == U32_MAX) { + NL_SET_ERR_MSG( + extack, + "Replay oseq should be less than 0xFFFFFFFF in non-ESN mode for output SA"); + return -EINVAL; + } + } else { + if (rs->oseq == U32_MAX && rs->oseq_hi == U32_MAX) { + NL_SET_ERR_MSG( + extack, + "Replay oseq and oseq_hi should be less than 0xFFFFFFFF for output SA"); + return -EINVAL; + } } if (rs->bmp_len) { NL_SET_ERR_MSG(extack, "Replay bmp_len should 0 for output SA"); @@ -196,11 +212,27 @@ static inline int verify_replay(struct xfrm_usersa_info *p, "Replay oseq and oseq_hi should be 0 for input SA"); return -EINVAL; } - if (rs->seq_hi && !(p->flags & XFRM_STATE_ESN)) { - NL_SET_ERR_MSG( - extack, - "Replay seq_hi should be 0 in non-ESN mode for input SA"); - return -EINVAL; + if (!(p->flags & XFRM_STATE_ESN)) { + if (rs->seq_hi) { + NL_SET_ERR_MSG( + extack, + "Replay seq_hi should be 0 in non-ESN mode for input SA"); + return -EINVAL; + } + + if (rs->seq == U32_MAX) { + NL_SET_ERR_MSG( + extack, + "Replay seq should be less than 0xFFFFFFFF in non-ESN mode for input SA"); + return -EINVAL; + } + } else { + if (rs->seq == U32_MAX && rs->seq_hi == U32_MAX) { + NL_SET_ERR_MSG( + extack, + "Replay seq and seq_hi should be less than 0xFFFFFFFF for input SA"); + return -EINVAL; + } } } -- 2.49.0