[PATCH ipsec] xfrm: esp6: fix encapsulation header offset computation

[PATCH ipsec] xfrm: esp6: fix encapsulation header offset computation

[Sabrina Dubroca]

In commit 0146dca70b87, I incorrectly adapted the code that computes
the location of the UDP or TCP encapsulation header from IPv4 to
IPv6. In esp6_input_done2, skb->transport_header points to the ESP
header, so by adding skb_network_header_len, uh and th will point to
the ESP header, not the encapsulation header that's in front of it.

Since the TCP header's size can change with options, we have to start
from the IPv6 header and walk past possible extensions.

Fixes: 0146dca70b87 ("xfrm: add support for UDPv6 encapsulation of ESP")
Fixes: 26333c37fc28 ("xfrm: add IPv6 support for espintcp")
Reported-by: Tobias Brunner <tobias@strongswan.org>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
 net/ipv6/esp6.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index c43592771126..55ae70be91b3 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -805,10 +805,16 @@ int esp6_input_done2(struct sk_buff *skb, int err)
 
 	if (x->encap) {
 		const struct ipv6hdr *ip6h = ipv6_hdr(skb);
+		int offset = skb_network_offset(skb) + sizeof(*ip6h);
 		struct xfrm_encap_tmpl *encap = x->encap;
-		struct udphdr *uh = (void *)(skb_network_header(skb) + hdr_len);
-		struct tcphdr *th = (void *)(skb_network_header(skb) + hdr_len);
-		__be16 source;
+		u8 nexthdr = ip6h->nexthdr;
+		__be16 frag_off, source;
+		struct udphdr *uh;
+		struct tcphdr *th;
+
+		offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
+		uh = (void *)(skb->data + offset);
+		th = (void *)(skb->data + offset);
 
 		switch (x->encap->encap_type) {
 		case TCP_ENCAP_ESPINTCP:
-- 
2.27.0

Re: [PATCH ipsec] xfrm: esp6: fix encapsulation header offset computation

[Tobias Brunner]

Hi Sabrina,

> In commit 0146dca70b87, I incorrectly adapted the code that computes
> the location of the UDP or TCP encapsulation header from IPv4 to
> IPv6. In esp6_input_done2, skb->transport_header points to the ESP
> header, so by adding skb_network_header_len, uh and th will point to
> the ESP header, not the encapsulation header that's in front of it.
> 
> Since the TCP header's size can change with options, we have to start
> from the IPv6 header and walk past possible extensions.
> 
> Fixes: 0146dca70b87 ("xfrm: add support for UDPv6 encapsulation of ESP")
> Fixes: 26333c37fc28 ("xfrm: add IPv6 support for espintcp")
> Reported-by: Tobias Brunner <tobias@strongswan.org>
> Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>

Thanks for the fix!

Tested-by: Tobias Brunner <tobias@strongswan.org>

Regards,
Tobias

Re: [PATCH ipsec] xfrm: esp6: fix encapsulation header offset computation

[Steffen Klassert]

On Fri, Jul 03, 2020 at 04:57:09PM +0200, Sabrina Dubroca wrote:
> In commit 0146dca70b87, I incorrectly adapted the code that computes
> the location of the UDP or TCP encapsulation header from IPv4 to
> IPv6. In esp6_input_done2, skb->transport_header points to the ESP
> header, so by adding skb_network_header_len, uh and th will point to
> the ESP header, not the encapsulation header that's in front of it.
> 
> Since the TCP header's size can change with options, we have to start
> from the IPv6 header and walk past possible extensions.
> 
> Fixes: 0146dca70b87 ("xfrm: add support for UDPv6 encapsulation of ESP")
> Fixes: 26333c37fc28 ("xfrm: add IPv6 support for espintcp")
> Reported-by: Tobias Brunner <tobias@strongswan.org>
> Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>

Applied, thanks Sabrina!