lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20070309.162027.38709797.davem@davemloft.net>
Date:	Fri, 09 Mar 2007 16:20:27 -0800 (PST)
From:	David Miller <davem@...emloft.net>
To:	latten@...tin.ibm.com
Cc:	netdev@...r.kernel.org, eparis@...hat.com,
	herbert@...dor.apana.org.au, jmorris@...ei.org, paul.moore@...com,
	vyekkirala@...stedCS.com
Subject: Re: [PATCH]: double SAs are created when using AH and ESP together

From: Joy Latten <latten@...tin.ibm.com>
Date: Fri, 9 Mar 2007 17:14:54 -0600

> I noticed that in xfrm_state_add we look for the larval SA in a few
> places without checking for protocol match. So when using both 
> AH and ESP, whichever one gets added first, deletes the larval SA. 
> It seems AH always gets added first and ESP is always the larval 
> SA's protocol since the xfrm->tmpl has it first. Thus causing the
> additional km_query()
> 
> Adding the check eliminates the double SA creation. 
> I know this may not seem like a complete solution and I will 
> continue to test and be on the lookout, but isn't having the
> check a good thing? So far I have tested SAs with just ESP, just AH
> and with both and all seems ok. 
> 
> Please let me know if this patch is ok. 
> My kernel was 2.6.20-rc3-git3.
> 
> Signed-off-by: Joy Latten <latten@...tin.ibm.com>

Generally it looks OK, but I'm going to let this one sit for
a while before I apply it so that other folks can review it
too and spot any unintended consequences.

In particular, I find it strance that we didn't check the
protocol field all this time and I wonder whether that might
be on purpose for some reason.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ