Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cc01572e authored by Yossi Kuperman's avatar Yossi Kuperman Committed by Steffen Klassert
Browse files

xfrm: Add SA to hardware at the end of xfrm_state_construct() 



Current code configures the hardware with a new SA before the state has been
fully initialized. During this time interval, an incoming ESP packet can cause
a crash due to a NULL dereference. More specifically, xfrm_input() considers
the packet as valid, and yet, anti-replay mechanism is not initialized.

Move hardware configuration to the end of xfrm_state_construct(), and mark
the state as valid once the SA is fully initialized.

Fixes: d77e38e6 ("xfrm: Add an IPsec hardware offloading API")
Signed-off-by: default avatarAviad Yehezkel <aviadye@mellnaox.com>
Signed-off-by: default avatarAviv Heller <avivh@mellanox.com>
Signed-off-by: default avatarYossi Kuperman <yossiku@mellanox.com>
Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
parent ad9294db

net/xfrm/xfrm_state.c

+7 −3
Original line number Diff line number Diff line
@@ -2272,8 +2272,6 @@ int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload) 
			goto error;

	}



	x->km.state = XFRM_STATE_VALID;



error:

	return err;

}
@@ -2282,7 +2280,13 @@ EXPORT_SYMBOL(__xfrm_init_state); 


int xfrm_init_state(struct xfrm_state *x)

{

	return __xfrm_init_state(x, true, false);

	int err;



	err = __xfrm_init_state(x, true, false);

	if (!err)

		x->km.state = XFRM_STATE_VALID;



	return err;

}



EXPORT_SYMBOL(xfrm_init_state);

net/xfrm/xfrm_user.c

+11 −7
Original line number Diff line number Diff line
@@ -598,13 +598,6 @@ static struct xfrm_state *xfrm_state_construct(struct net *net, 
			goto error;

	}



	if (attrs[XFRMA_OFFLOAD_DEV]) {

		err = xfrm_dev_state_add(net, x,

					 nla_data(attrs[XFRMA_OFFLOAD_DEV]));

		if (err)

			goto error;

	}



	if ((err = xfrm_alloc_replay_state_esn(&x->replay_esn, &x->preplay_esn,

					       attrs[XFRMA_REPLAY_ESN_VAL])))

		goto error;
@@ -620,6 +613,14 @@ static struct xfrm_state *xfrm_state_construct(struct net *net, 
	/* override default values from above */

	xfrm_update_ae_params(x, attrs, 0);



	/* configure the hardware if offload is requested */

	if (attrs[XFRMA_OFFLOAD_DEV]) {

		err = xfrm_dev_state_add(net, x,

					 nla_data(attrs[XFRMA_OFFLOAD_DEV]));

		if (err)

			goto error;

	}



	return x;



error:
@@ -662,6 +663,9 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 
		goto out;

	}



	if (x->km.state == XFRM_STATE_VOID)

		x->km.state = XFRM_STATE_VALID;



	c.seq = nlh->nlmsg_seq;

	c.portid = nlh->nlmsg_pid;

	c.event = nlh->nlmsg_type;