Skip to content

Commit

Permalink
xfrm: Fix xfrm sel prefix length validation
Browse files Browse the repository at this point in the history
Family of src/dst can be different from family of selector src/dst.
Use xfrm selector family to validate address prefix length,
while verifying new sa from userspace.

Validated patch with this command:
ip xfrm state add src 1.1.6.1 dst 1.1.6.2 proto esp spi 4260196 \
reqid 20004 mode tunnel aead "rfc4106(gcm(aes))" \
0x1111016400000000000000000000000044440001 128 \
sel src 1011:1:4::2/128 sel dst 1021:1:4::2/128 dev Port5

Fixes: 07bf790 ("xfrm: Validate address prefix lengths in the xfrm selector.")
Signed-off-by: Anirudh Gupta <anirudh.gupta@sophos.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
  • Loading branch information
Anirudh Gupta authored and Steffen Klassert committed May 28, 2019
1 parent af8f3fb commit b38ff40
Showing 1 changed file with 16 additions and 0 deletions.
16 changes: 16 additions & 0 deletions net/xfrm/xfrm_user.c
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,22 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,

err = -EINVAL;
switch (p->family) {
case AF_INET:
break;

case AF_INET6:
#if IS_ENABLED(CONFIG_IPV6)
break;
#else
err = -EAFNOSUPPORT;
goto out;
#endif

default:
goto out;
}

switch (p->sel.family) {
case AF_INET:
if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
goto out;
Expand Down

0 comments on commit b38ff40

Please sign in to comment.