pull request (net): ipsec 2015-01-26

pull request (net): ipsec 2015-01-26

[Steffen Klassert]

Just two small fixes for _decode_session6() where we
might decode to wrong header information in some rare
situations.

Please pull or let me know if there are problems.

Thanks!

The following changes since commit f2a01517f2a1040a0b156f171a7cefd748f2fd03:

  openvswitch: Fix flow mask validation. (2014-12-05 21:42:16 -0800)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git master

for you to fetch changes up to f855691975bb06373a98711e4cfe2c224244b536:

  xfrm6: Fix the nexthdr offset in _decode_session6. (2014-12-08 07:56:18 +0100)

----------------------------------------------------------------
Steffen Klassert (2):
      xfrm6: Fix transport header offset in _decode_session6.
      xfrm6: Fix the nexthdr offset in _decode_session6.

 net/ipv6/xfrm6_policy.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

[PATCH 1/2] xfrm6: Fix transport header offset in _decode_session6.

[Steffen Klassert]

skb->transport_header might not be valid when we do a reverse
decode because the ipv6 tunnel error handlers don't update it
to the inner transport header. This leads to a wrong offset
calculation and to wrong layer 4 informations. We fix this
by using the size of the ipv6 header as the first offset.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
 net/ipv6/xfrm6_policy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index 5f98364..aa48302 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -130,8 +130,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
 {
 	struct flowi6 *fl6 = &fl->u.ip6;
 	int onlyproto = 0;
-	u16 offset = skb_network_header_len(skb);
 	const struct ipv6hdr *hdr = ipv6_hdr(skb);
+	u16 offset = sizeof(*hdr);
 	struct ipv6_opt_hdr *exthdr;
 	const unsigned char *nh = skb_network_header(skb);
 	u8 nexthdr = nh[IP6CB(skb)->nhoff];
-- 
1.9.1

[PATCH 2/2] xfrm6: Fix the nexthdr offset in _decode_session6.

[Steffen Klassert]

xfrm_decode_session() was originally designed for the
usage in the receive path where the correct nexthdr offset
is stored in IP6CB(skb)->nhoff. Over time this function
spread to code that is used in the output path (netfilter,
vti) where IP6CB(skb)->nhoff is not set. As a result, we
get a wrong nexthdr and the upper layer flow informations
are wrong. This can leed to incorrect policy lookups.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
 net/ipv6/xfrm6_policy.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index aa48302..48bf5a0 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -134,8 +134,14 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
 	u16 offset = sizeof(*hdr);
 	struct ipv6_opt_hdr *exthdr;
 	const unsigned char *nh = skb_network_header(skb);
-	u8 nexthdr = nh[IP6CB(skb)->nhoff];
+	u16 nhoff = IP6CB(skb)->nhoff;
 	int oif = 0;
+	u8 nexthdr;
+
+	if (!nhoff)
+		nhoff = offsetof(struct ipv6hdr, nexthdr);
+
+	nexthdr = nh[nhoff];
 
 	if (skb_dst(skb))
 		oif = skb_dst(skb)->dev->ifindex;
-- 
1.9.1

Re: pull request (net): ipsec 2015-01-26

[David Miller]

From: Steffen Klassert <steffen.klassert@secunet.com>
Date: Mon, 26 Jan 2015 08:48:21 +0100

> Just two small fixes for _decode_session6() where we
> might decode to wrong header information in some rare
> situations.
> 
> Please pull or let me know if there are problems.

Pulled, thanks a lot Steffen.