Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e40b3286 authored by Herbert Xu's avatar Herbert Xu Committed by David S. Miller
Browse files

[IPSEC]: Forbid BEET + ipcomp for now 



While BEET can theoretically work with IPComp the current code can't
do that because it tries to construct a BEET mode tunnel type which
doesn't (and cannot) exist.  In fact as it is it won't even attach a
tunnel object at all for BEET which is bogus.

To support this fully we'd also need to change the policy checks on
input to recognise a plain tunnel as a legal variant of an optional
BEET transform.

This patch simply fails such constructions for now.

Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 25ee3286

net/ipv4/ipcomp.c

+12 −8
Original line number Diff line number Diff line
@@ -182,7 +182,6 @@ static void ipcomp4_err(struct sk_buff *skb, u32 info) 
static struct xfrm_state *ipcomp_tunnel_create(struct xfrm_state *x)

{

	struct xfrm_state *t;

	u8 mode = XFRM_MODE_TUNNEL;



	t = xfrm_state_alloc();

	if (t == NULL)
@@ -193,9 +192,7 @@ static struct xfrm_state *ipcomp_tunnel_create(struct xfrm_state *x) 
	t->id.daddr.a4 = x->id.daddr.a4;

	memcpy(&t->sel, &x->sel, sizeof(t->sel));

	t->props.family = AF_INET;

	if (x->props.mode == XFRM_MODE_BEET)

		mode = x->props.mode;

	t->props.mode = mode;

	t->props.mode = x->props.mode;

	t->props.saddr.a4 = x->props.saddr.a4;

	t->props.flags = x->props.flags;
@@ -389,15 +386,22 @@ static int ipcomp_init_state(struct xfrm_state *x) 
	if (x->encap)

		goto out;



	x->props.header_len = 0;

	switch (x->props.mode) {

	case XFRM_MODE_TRANSPORT:

		break;

	case XFRM_MODE_TUNNEL:

		x->props.header_len += sizeof(struct iphdr);

		break;

	default:

		goto out;

	}



	err = -ENOMEM;

	ipcd = kzalloc(sizeof(*ipcd), GFP_KERNEL);

	if (!ipcd)

		goto out;



	x->props.header_len = 0;

	if (x->props.mode == XFRM_MODE_TUNNEL)

		x->props.header_len += sizeof(struct iphdr);



	mutex_lock(&ipcomp_resource_mutex);

	if (!ipcomp_alloc_scratches())

		goto error;

net/ipv6/ipcomp6.c

+8 −11
Original line number Diff line number Diff line
@@ -190,7 +190,6 @@ static void ipcomp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, 
static struct xfrm_state *ipcomp6_tunnel_create(struct xfrm_state *x)

{

	struct xfrm_state *t = NULL;

	u8 mode = XFRM_MODE_TUNNEL;



	t = xfrm_state_alloc();

	if (!t)
@@ -204,9 +203,7 @@ static struct xfrm_state *ipcomp6_tunnel_create(struct xfrm_state *x) 
	memcpy(t->id.daddr.a6, x->id.daddr.a6, sizeof(struct in6_addr));

	memcpy(&t->sel, &x->sel, sizeof(t->sel));

	t->props.family = AF_INET6;

	if (x->props.mode == XFRM_MODE_BEET)

		mode = x->props.mode;

	t->props.mode = mode;

	t->props.mode = x->props.mode;

	memcpy(t->props.saddr.a6, x->props.saddr.a6, sizeof(struct in6_addr));



	if (xfrm_init_state(t))
@@ -405,22 +402,22 @@ static int ipcomp6_init_state(struct xfrm_state *x) 
	if (x->encap)

		goto out;



	err = -ENOMEM;

	ipcd = kzalloc(sizeof(*ipcd), GFP_KERNEL);

	if (!ipcd)

		goto out;



	x->props.header_len = 0;

	switch (x->props.mode) {

	case XFRM_MODE_BEET:

	case XFRM_MODE_TRANSPORT:

		break;

	case XFRM_MODE_TUNNEL:

		x->props.header_len += sizeof(struct ipv6hdr);

		break;

	default:

		goto error;

		goto out;

	}



	err = -ENOMEM;

	ipcd = kzalloc(sizeof(*ipcd), GFP_KERNEL);

	if (!ipcd)

		goto out;



	mutex_lock(&ipcomp6_resource_mutex);

	if (!ipcomp6_alloc_scratches())

		goto error;