lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Wed, 09 Oct 2013 13:44:01 -0400 (EDT)
From:	David Miller <davem@...emloft.net>
To:	steffen.klassert@...unet.com
Cc:	herbert@...dor.apana.org.au, netdev@...r.kernel.org
Subject: Re: pull request (net): ipsec 2013-10-09

From: Steffen Klassert <steffen.klassert@...unet.com>
Date: Wed,  9 Oct 2013 12:59:04 +0200

> 1) We used the wrong netlink attribute to verify the
>    lenght of the replay window on async events. Fix this by
>    using the right netlink attribute.
> 
> 2) Policy lookups can not match the output interface on forwarding.
>    Add the needed informations to the flow informations.
> 
> 3) We update the pmtu when we receive a ICMPV6_DEST_UNREACH message
>    on IPsec with ipv6. This is wrong and leads to strange fragmented
>    packets, only ICMPV6_PKT_TOOBIG messages should update the pmtu.
>    Fix this by removing the ICMPV6_DEST_UNREACH check from the IPsec
>    protocol error handlers.
> 
> 4) The legacy IPsec anti replay mechanism supports anti replay
>    windows up to 32 packets. If a user requests for a bigger
>    anti replay window, we use 32 packets but pretend that we use
>    the requested window size. Fix from Fan Du.
> 
> 5) If asynchronous events are enabled and replay_maxdiff is set to
>    zero, we generate an async event for every received packet instead
>    of checking whether a timeout occurred. Fix from Thomas Egerer.
> 
> 6) Policies need a refcount when the state resolution timer is armed.
>    Otherwise the timer can fire after the policy is deleted.
> 
> 7) We might dreference a NULL pointer if the hold_queue is empty,
>    add a check to avoid this.
> 
> Please pull or let me know if there are problems.

Pulled, thanks a lot Steffen.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ