| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 8 May 2014 13:24:58 +0800
From: nickcave <nickcave.zhang@...il.com>
To: netdev@...r.kernel.org
Subject: problem when a ipsec output packet re-routing in ip6_route_me_harder
Hi All:
I found in some case a packet match IPSEC rule will be send out in plaintext.
If a output ipv6 packet match a ipsec rule and the dst be set to
xfrm_output correct,
but there is a netfilter mangle table rule also matched the rule
which set the mark value to 0x01 ,
and then ,in ip6t_mangle_out ,when ip6t_do_table finished, the mark
value changed, and the packet
need routing by ip6_route_me_harder , the packet will be decode by
ip6_route_me_harder—>xfrm_decode_session->_decode_session6 the
function get nexthdr from cb , I found the cb only be set when it's a
incoming packet, so in this case , I got a error nexthdr value. It's
caused the xfrm_lookup failure,and the packet be sendout in plaintext.
u8 nexthdr = nh[IP6CB(skb)->nhoff]; //in my case, the nexthdr is always 96
I think it a kernel bug.Did anyone met the same issue?
Best Regards
Hui Zhang
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists