Skip to content

Commit

Permalink
[IPSEC]: Reject packets within replay window but outside the bit mask
Browse files Browse the repository at this point in the history 
Up until this point we've accepted replay window settings greater than
32 but our bit mask can only accomodate 32 packets.  Thus any packet
with a sequence number within the window but outside the bit mask would
be accepted.

This patch causes those packets to be rejected instead.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
Herbert Xu authored and David S. Miller committed Apr 5, 2007
1 parent 60e5c16 commit 4c4d51a
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion net/xfrm/xfrm_state.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1371,7 +1371,8 @@ int xfrm_replay_check(struct xfrm_state *x, __be32 net_seq)
return 0;

diff = x->replay.seq - seq;
if (diff >= x->props.replay_window) {
if (diff >= min_t(unsigned int, x->props.replay_window,
sizeof(x->replay.bitmap) * 8)) {
x->stats.replay_window++;
return -EINVAL;
}
Expand Down

0 comments on commit 4c4d51a

Please sign in to comment.