Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6a172802 authored by David S. Miller's avatar David S. Miller
Browse files

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 



Steffen Klassert says:

====================
pull request (net): ipsec 2017-11-09

1) Fix a use after free due to a reallocated skb head.
   From Florian Westphal.

2) Fix sporadic lookup failures on labeled IPSEC.
   From Florian Westphal.

3) Fix a stack out of bounds when a socket policy is applied
   to an IPv6 socket that sends IPv4 packets.

Please pull or let me know if there are problems.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 623859ae c9f3f813

net/xfrm/xfrm_input.c

+2 −2
Original line number Original line Diff line number Diff line
@@ -266,8 +266,6 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) 
		goto lock;

		goto lock;

	}

	}





	daddr = (xfrm_address_t *)(skb_network_header(skb) +

				   XFRM_SPI_SKB_CB(skb)->daddroff);

	family = XFRM_SPI_SKB_CB(skb)->family;

	family = XFRM_SPI_SKB_CB(skb)->family;





	/* if tunnel is present override skb->mark value with tunnel i_key */

	/* if tunnel is present override skb->mark value with tunnel i_key */
@@ -294,6 +292,8 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) 
		goto drop;

		goto drop;

	}

	}





	daddr = (xfrm_address_t *)(skb_network_header(skb) +

				   XFRM_SPI_SKB_CB(skb)->daddroff);

	do {

	do {

		if (skb->sp->len == XFRM_MAX_DEPTH) {

		if (skb->sp->len == XFRM_MAX_DEPTH) {

			XFRM_INC_STATS(net, LINUX_MIB_XFRMINBUFFERERROR);

			XFRM_INC_STATS(net, LINUX_MIB_XFRMINBUFFERERROR);

net/xfrm/xfrm_policy.c

+35 −36
Original line number Original line Diff line number Diff line
@@ -1361,18 +1361,14 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl, 
	struct net *net = xp_net(policy);

	struct net *net = xp_net(policy);

	int nx;

	int nx;

	int i, error;

	int i, error;

	xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family);

	xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family);

	xfrm_address_t tmp;

	xfrm_address_t tmp;





	for (nx = 0, i = 0; i < policy->xfrm_nr; i++) {

	for (nx = 0, i = 0; i < policy->xfrm_nr; i++) {

		struct xfrm_state *x;

		struct xfrm_state *x;

		xfrm_address_t *remote = daddr;

		xfrm_address_t *local;

		xfrm_address_t *local  = saddr;

		xfrm_address_t *remote;

		struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];

		struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];





		if (tmpl->mode == XFRM_MODE_TUNNEL ||

		    tmpl->mode == XFRM_MODE_BEET) {

		remote = &tmpl->id.daddr;

		remote = &tmpl->id.daddr;

		local = &tmpl->saddr;

		local = &tmpl->saddr;

		if (xfrm_addr_any(local, tmpl->encap_family)) {

		if (xfrm_addr_any(local, tmpl->encap_family)) {
@@ -1383,14 +1379,11 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl, 
				goto fail;

				goto fail;

			local = &tmp;

			local = &tmp;

		}

		}

		}





		x = xfrm_state_find(remote, local, fl, tmpl, policy, &error, family);

		x = xfrm_state_find(remote, local, fl, tmpl, policy, &error, family);





		if (x && x->km.state == XFRM_STATE_VALID) {

		if (x && x->km.state == XFRM_STATE_VALID) {

			xfrm[nx++] = x;

			xfrm[nx++] = x;

			daddr = remote;

			saddr = local;

			continue;

			continue;

		}

		}

		if (x) {

		if (x) {
@@ -1787,19 +1780,23 @@ void xfrm_policy_cache_flush(void) 
	put_online_cpus();

	put_online_cpus();

}

}





static bool xfrm_pol_dead(struct xfrm_dst *xdst)

static bool xfrm_xdst_can_reuse(struct xfrm_dst *xdst,

				struct xfrm_state * const xfrm[],

				int num)

{

{

	unsigned int num_pols = xdst->num_pols;

	const struct dst_entry *dst = &xdst->u.dst;

	unsigned int pol_dead = 0, i;

	int i;





	for (i = 0; i < num_pols; i++)

	if (xdst->num_xfrms != num)

		pol_dead |= xdst->pols[i]->walk.dead;

		return false;





	/* Mark DST_OBSOLETE_DEAD to fail the next xfrm_dst_check() */

	for (i = 0; i < num; i++) {

	if (pol_dead)

		if (!dst || dst->xfrm != xfrm[i])

		xdst->u.dst.obsolete = DST_OBSOLETE_DEAD;

			return false;

		dst = dst->child;

	}





	return pol_dead;

	return xfrm_bundle_ok(xdst);

}

}





static struct xfrm_dst *

static struct xfrm_dst *
@@ -1813,26 +1810,28 @@ xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols, 
	struct dst_entry *dst;

	struct dst_entry *dst;

	int err;

	int err;





	/* Try to instantiate a bundle */

	err = xfrm_tmpl_resolve(pols, num_pols, fl, xfrm, family);

	if (err <= 0) {

		if (err != 0 && err != -EAGAIN)

			XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);

		return ERR_PTR(err);

	}



	xdst = this_cpu_read(xfrm_last_dst);

	xdst = this_cpu_read(xfrm_last_dst);

	if (xdst &&

	if (xdst &&

	    xdst->u.dst.dev == dst_orig->dev &&

	    xdst->u.dst.dev == dst_orig->dev &&

	    xdst->num_pols == num_pols &&

	    xdst->num_pols == num_pols &&

	    !xfrm_pol_dead(xdst) &&

	    memcmp(xdst->pols, pols,

	    memcmp(xdst->pols, pols,

		   sizeof(struct xfrm_policy *) * num_pols) == 0 &&

		   sizeof(struct xfrm_policy *) * num_pols) == 0 &&

	    xfrm_bundle_ok(xdst)) {

	    xfrm_xdst_can_reuse(xdst, xfrm, err)) {

		dst_hold(&xdst->u.dst);

		dst_hold(&xdst->u.dst);

		while (err > 0)

			xfrm_state_put(xfrm[--err]);

		return xdst;

		return xdst;

	}

	}





	old = xdst;

	old = xdst;

	/* Try to instantiate a bundle */

	err = xfrm_tmpl_resolve(pols, num_pols, fl, xfrm, family);

	if (err <= 0) {

		if (err != 0 && err != -EAGAIN)

			XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);

		return ERR_PTR(err);

	}





	dst = xfrm_bundle_create(pols[0], xfrm, err, fl, dst_orig);

	dst = xfrm_bundle_create(pols[0], xfrm, err, fl, dst_orig);

	if (IS_ERR(dst)) {

	if (IS_ERR(dst)) {