Message ID | 20110426054121.GH5495@secunet.com |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
On Tue, Apr 26, 2011 at 07:41:21AM +0200, Steffen Klassert wrote: > IPsec extended sequence numbers can be used only with the new > anti-replay window implementation. So check if the new implementation > is used if an esn state is inserted and return an error if it is not. > > Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
From: Herbert Xu <herbert@gondor.apana.org.au> Date: Tue, 26 Apr 2011 15:43:04 +1000 > On Tue, Apr 26, 2011 at 07:41:21AM +0200, Steffen Klassert wrote: >> IPsec extended sequence numbers can be used only with the new >> anti-replay window implementation. So check if the new implementation >> is used if an esn state is inserted and return an error if it is not. >> >> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> > > Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Applied. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 5d1d60d..c658cb3 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -124,6 +124,9 @@ static inline int verify_replay(struct xfrm_usersa_info *p, { struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL]; + if ((p->flags & XFRM_STATE_ESN) && !rt) + return -EINVAL; + if (!rt) return 0;
IPsec extended sequence numbers can be used only with the new anti-replay window implementation. So check if the new implementation is used if an esn state is inserted and return an error if it is not. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> --- net/xfrm/xfrm_user.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-)