netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Tobias Brunner <tobias@strongswan.org>
To: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
	netdev@vger.kernel.org, "David S . Miller" <davem@davemloft.net>
Subject: [PATCH ipsec] af_key: Reject optional tunnel/BEET mode templates in outbound policies
Date: Fri, 5 May 2023 13:36:15 +0200	[thread overview]
Message-ID: <46fcb205-989e-4ea7-463d-e72b85db9e71@strongswan.org> (raw)
In-Reply-To: <ZFTd459F8fi+KfxM@gondor.apana.org.au>

xfrm_state_find() uses `encap_family` of the current template with
the passed local and remote addresses to find a matching state.
If an optional tunnel or BEET mode template is skipped in a mixed-family
scenario, there could be a mismatch causing an out-of-bounds read as
the addresses were not replaced to match the family of the next template.

While there are theoretical use cases for optional templates in outbound
policies, the only practical one is to skip IPComp states in inbound
policies if uncompressed packets are received that are handled by an
implicitly created IPIP state instead.

Signed-off-by: Tobias Brunner <tobias@strongswan.org>
---
  net/key/af_key.c | 12 ++++++++----
  1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/net/key/af_key.c b/net/key/af_key.c
index a815f5ab4c49..31ab12fd720a 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1940,7 +1940,8 @@ static u32 gen_reqid(struct net *net)
  }
  
  static int
-parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq)
+parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_policy *pol,
+		   struct sadb_x_ipsecrequest *rq)
  {
  	struct net *net = xp_net(xp);
  	struct xfrm_tmpl *t = xp->xfrm_vec + xp->xfrm_nr;
@@ -1958,9 +1959,12 @@ parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq)
  	if ((mode = pfkey_mode_to_xfrm(rq->sadb_x_ipsecrequest_mode)) < 0)
  		return -EINVAL;
  	t->mode = mode;
-	if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_USE)
+	if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_USE) {
+		if ((mode == XFRM_MODE_TUNNEL || mode == XFRM_MODE_BEET) &&
+		    pol->sadb_x_policy_dir == IPSEC_DIR_OUTBOUND)
+			return -EINVAL;
  		t->optional = 1;
-	else if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_UNIQUE) {
+	} else if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_UNIQUE) {
  		t->reqid = rq->sadb_x_ipsecrequest_reqid;
  		if (t->reqid > IPSEC_MANUAL_REQID_MAX)
  			t->reqid = 0;
@@ -2002,7 +2006,7 @@ parse_ipsecrequests(struct xfrm_policy *xp, struct sadb_x_policy *pol)
  		    rq->sadb_x_ipsecrequest_len < sizeof(*rq))
  			return -EINVAL;
  
-		if ((err = parse_ipsecrequest(xp, rq)) < 0)
+		if ((err = parse_ipsecrequest(xp, pol, rq)) < 0)
  			return err;
  		len -= rq->sadb_x_ipsecrequest_len;
  		rq = (void*)((u8*)rq + rq->sadb_x_ipsecrequest_len);
-- 
2.34.1



  reply	other threads:[~2023-05-05 11:36 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-04-24 13:23 [PATCH ipsec] xfrm: Ensure consistent address families when resolving templates Tobias Brunner
2023-04-25  5:34 ` Herbert Xu
2023-04-25  6:47   ` Steffen Klassert
2023-04-25  8:26     ` Herbert Xu
2023-04-25  8:00   ` Tobias Brunner
2023-04-25  8:28     ` Herbert Xu
2023-05-05 10:16       ` [PATCH ipsec] xfrm: Reject optional tunnel/BEET mode templates in outbound policies Tobias Brunner
2023-05-05 10:43         ` Herbert Xu
2023-05-05 11:36           ` Tobias Brunner [this message]
2023-05-08  3:10             ` [PATCH ipsec] af_key: " Herbert Xu
2023-05-08  6:01             ` Steffen Klassert
2023-05-09  9:00               ` Tobias Brunner
2023-05-11 10:04                 ` Steffen Klassert
2023-05-08  5:59         ` [PATCH ipsec] xfrm: " Steffen Klassert
2023-05-08  9:03           ` Tobias Brunner
2023-05-09  4:27             ` Steffen Klassert
2023-05-09  8:59               ` Tobias Brunner
2023-05-11 10:03                 ` Steffen Klassert

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=46fcb205-989e-4ea7-463d-e72b85db9e71@strongswan.org \
    --to=tobias@strongswan.org \
    --cc=davem@davemloft.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=netdev@vger.kernel.org \
    --cc=steffen.klassert@secunet.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).