| Message ID | 20190614091355.18852-1-nicolas.dichtel@6wind.com |
|---|---|
| State | Awaiting Upstream |
| Delegated to: | David Miller |
| Headers | show |
| Series | [ipsec] xfrm: fix sa selector validation | expand |
On Fri, Jun 14, 2019 at 11:13:55AM +0200, Nicolas Dichtel wrote: > After commit b38ff4075a80, the following command does not work anymore: > $ ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 34 reqid 1 \ > mode tunnel enc 'cbc(aes)' 0xb0abdba8b782ad9d364ec81e3a7d82a1 auth-trunc \ > 'hmac(sha1)' 0xe26609ebd00acb6a4d51fca13e49ea78a72c73e6 96 flag align4 > > In fact, the selector is not mandatory, allow the user to provide an empty > selector. > > Fixes: b38ff4075a80 ("xfrm: Fix xfrm sel prefix length validation") > CC: Anirudh Gupta <anirudh.gupta@sophos.com> > Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Sorry for not catching this! Thanks,
On Sat, Jun 15, 2019 at 12:11:48AM +0800, Herbert Xu wrote: > On Fri, Jun 14, 2019 at 11:13:55AM +0200, Nicolas Dichtel wrote: > > After commit b38ff4075a80, the following command does not work anymore: > > $ ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 34 reqid 1 \ > > mode tunnel enc 'cbc(aes)' 0xb0abdba8b782ad9d364ec81e3a7d82a1 auth-trunc \ > > 'hmac(sha1)' 0xe26609ebd00acb6a4d51fca13e49ea78a72c73e6 96 flag align4 > > > > In fact, the selector is not mandatory, allow the user to provide an empty > > selector. > > > > Fixes: b38ff4075a80 ("xfrm: Fix xfrm sel prefix length validation") > > CC: Anirudh Gupta <anirudh.gupta@sophos.com> > > Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> > > Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Patch applied, thanks everyone!
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 74a3d1e0ff63..6626564f1fb7 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -166,6 +166,9 @@ static int verify_newsa_info(struct xfrm_usersa_info *p, } switch (p->sel.family) { + case AF_UNSPEC: + break; + case AF_INET: if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) goto out;
After commit b38ff4075a80, the following command does not work anymore: $ ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 34 reqid 1 \ mode tunnel enc 'cbc(aes)' 0xb0abdba8b782ad9d364ec81e3a7d82a1 auth-trunc \ 'hmac(sha1)' 0xe26609ebd00acb6a4d51fca13e49ea78a72c73e6 96 flag align4 In fact, the selector is not mandatory, allow the user to provide an empty selector. Fixes: b38ff4075a80 ("xfrm: Fix xfrm sel prefix length validation") CC: Anirudh Gupta <anirudh.gupta@sophos.com> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> --- net/xfrm/xfrm_user.c | 3 +++ 1 file changed, 3 insertions(+)