netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH ipsec] xfrm: fix sa selector validation
@ 2019-06-14  9:13 Nicolas Dichtel
  2019-06-14 16:11 ` Herbert Xu
  0 siblings, 1 reply; 3+ messages in thread
From: Nicolas Dichtel @ 2019-06-14  9:13 UTC (permalink / raw)
  To: steffen.klassert, herbert, davem; +Cc: netdev, Nicolas Dichtel, Anirudh Gupta

After commit b38ff4075a80, the following command does not work anymore:
$ ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 34 reqid 1 \
  mode tunnel enc 'cbc(aes)' 0xb0abdba8b782ad9d364ec81e3a7d82a1 auth-trunc \
  'hmac(sha1)' 0xe26609ebd00acb6a4d51fca13e49ea78a72c73e6 96 flag align4

In fact, the selector is not mandatory, allow the user to provide an empty
selector.

Fixes: b38ff4075a80 ("xfrm: Fix xfrm sel prefix length validation")
CC: Anirudh Gupta <anirudh.gupta@sophos.com>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
 net/xfrm/xfrm_user.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 74a3d1e0ff63..6626564f1fb7 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -166,6 +166,9 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
 	}
 
 	switch (p->sel.family) {
+	case AF_UNSPEC:
+		break;
+
 	case AF_INET:
 		if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
 			goto out;
-- 
2.21.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH ipsec] xfrm: fix sa selector validation
  2019-06-14  9:13 [PATCH ipsec] xfrm: fix sa selector validation Nicolas Dichtel
@ 2019-06-14 16:11 ` Herbert Xu
  2019-06-18  7:27   ` Steffen Klassert
  0 siblings, 1 reply; 3+ messages in thread
From: Herbert Xu @ 2019-06-14 16:11 UTC (permalink / raw)
  To: Nicolas Dichtel; +Cc: steffen.klassert, davem, netdev, Anirudh Gupta

On Fri, Jun 14, 2019 at 11:13:55AM +0200, Nicolas Dichtel wrote:
> After commit b38ff4075a80, the following command does not work anymore:
> $ ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 34 reqid 1 \
>   mode tunnel enc 'cbc(aes)' 0xb0abdba8b782ad9d364ec81e3a7d82a1 auth-trunc \
>   'hmac(sha1)' 0xe26609ebd00acb6a4d51fca13e49ea78a72c73e6 96 flag align4
> 
> In fact, the selector is not mandatory, allow the user to provide an empty
> selector.
> 
> Fixes: b38ff4075a80 ("xfrm: Fix xfrm sel prefix length validation")
> CC: Anirudh Gupta <anirudh.gupta@sophos.com>
> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>

Acked-by: Herbert Xu <herbert@gondor.apana.org.au>

Sorry for not catching this!

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH ipsec] xfrm: fix sa selector validation
  2019-06-14 16:11 ` Herbert Xu
@ 2019-06-18  7:27   ` Steffen Klassert
  0 siblings, 0 replies; 3+ messages in thread
From: Steffen Klassert @ 2019-06-18  7:27 UTC (permalink / raw)
  To: Herbert Xu; +Cc: Nicolas Dichtel, davem, netdev, Anirudh Gupta

On Sat, Jun 15, 2019 at 12:11:48AM +0800, Herbert Xu wrote:
> On Fri, Jun 14, 2019 at 11:13:55AM +0200, Nicolas Dichtel wrote:
> > After commit b38ff4075a80, the following command does not work anymore:
> > $ ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 34 reqid 1 \
> >   mode tunnel enc 'cbc(aes)' 0xb0abdba8b782ad9d364ec81e3a7d82a1 auth-trunc \
> >   'hmac(sha1)' 0xe26609ebd00acb6a4d51fca13e49ea78a72c73e6 96 flag align4
> > 
> > In fact, the selector is not mandatory, allow the user to provide an empty
> > selector.
> > 
> > Fixes: b38ff4075a80 ("xfrm: Fix xfrm sel prefix length validation")
> > CC: Anirudh Gupta <anirudh.gupta@sophos.com>
> > Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
> 
> Acked-by: Herbert Xu <herbert@gondor.apana.org.au>

Patch applied, thanks everyone!

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-06-18  7:27 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-14  9:13 [PATCH ipsec] xfrm: fix sa selector validation Nicolas Dichtel
2019-06-14 16:11 ` Herbert Xu
2019-06-18  7:27   ` Steffen Klassert

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).