* [PATCH ipsec] xfrm: fix sa selector validation
@ 2019-06-14 9:13 Nicolas Dichtel
2019-06-14 16:11 ` Herbert Xu
0 siblings, 1 reply; 3+ messages in thread
From: Nicolas Dichtel @ 2019-06-14 9:13 UTC (permalink / raw)
To: steffen.klassert, herbert, davem; +Cc: netdev, Nicolas Dichtel, Anirudh Gupta
After commit b38ff4075a80, the following command does not work anymore:
$ ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 34 reqid 1 \
mode tunnel enc 'cbc(aes)' 0xb0abdba8b782ad9d364ec81e3a7d82a1 auth-trunc \
'hmac(sha1)' 0xe26609ebd00acb6a4d51fca13e49ea78a72c73e6 96 flag align4
In fact, the selector is not mandatory, allow the user to provide an empty
selector.
Fixes: b38ff4075a80 ("xfrm: Fix xfrm sel prefix length validation")
CC: Anirudh Gupta <anirudh.gupta@sophos.com>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
net/xfrm/xfrm_user.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 74a3d1e0ff63..6626564f1fb7 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -166,6 +166,9 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
}
switch (p->sel.family) {
+ case AF_UNSPEC:
+ break;
+
case AF_INET:
if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
goto out;
--
2.21.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH ipsec] xfrm: fix sa selector validation
2019-06-14 9:13 [PATCH ipsec] xfrm: fix sa selector validation Nicolas Dichtel
@ 2019-06-14 16:11 ` Herbert Xu
2019-06-18 7:27 ` Steffen Klassert
0 siblings, 1 reply; 3+ messages in thread
From: Herbert Xu @ 2019-06-14 16:11 UTC (permalink / raw)
To: Nicolas Dichtel; +Cc: steffen.klassert, davem, netdev, Anirudh Gupta
On Fri, Jun 14, 2019 at 11:13:55AM +0200, Nicolas Dichtel wrote:
> After commit b38ff4075a80, the following command does not work anymore:
> $ ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 34 reqid 1 \
> mode tunnel enc 'cbc(aes)' 0xb0abdba8b782ad9d364ec81e3a7d82a1 auth-trunc \
> 'hmac(sha1)' 0xe26609ebd00acb6a4d51fca13e49ea78a72c73e6 96 flag align4
>
> In fact, the selector is not mandatory, allow the user to provide an empty
> selector.
>
> Fixes: b38ff4075a80 ("xfrm: Fix xfrm sel prefix length validation")
> CC: Anirudh Gupta <anirudh.gupta@sophos.com>
> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Sorry for not catching this!
Thanks,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH ipsec] xfrm: fix sa selector validation
2019-06-14 16:11 ` Herbert Xu
@ 2019-06-18 7:27 ` Steffen Klassert
0 siblings, 0 replies; 3+ messages in thread
From: Steffen Klassert @ 2019-06-18 7:27 UTC (permalink / raw)
To: Herbert Xu; +Cc: Nicolas Dichtel, davem, netdev, Anirudh Gupta
On Sat, Jun 15, 2019 at 12:11:48AM +0800, Herbert Xu wrote:
> On Fri, Jun 14, 2019 at 11:13:55AM +0200, Nicolas Dichtel wrote:
> > After commit b38ff4075a80, the following command does not work anymore:
> > $ ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 34 reqid 1 \
> > mode tunnel enc 'cbc(aes)' 0xb0abdba8b782ad9d364ec81e3a7d82a1 auth-trunc \
> > 'hmac(sha1)' 0xe26609ebd00acb6a4d51fca13e49ea78a72c73e6 96 flag align4
> >
> > In fact, the selector is not mandatory, allow the user to provide an empty
> > selector.
> >
> > Fixes: b38ff4075a80 ("xfrm: Fix xfrm sel prefix length validation")
> > CC: Anirudh Gupta <anirudh.gupta@sophos.com>
> > Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
>
> Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Patch applied, thanks everyone!
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-06-18 7:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-14 9:13 [PATCH ipsec] xfrm: fix sa selector validation Nicolas Dichtel
2019-06-14 16:11 ` Herbert Xu
2019-06-18 7:27 ` Steffen Klassert
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).