lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Fri, 09 Mar 2007 19:54:15 -0500
From:	Eric Paris <>
To:	David Miller <>
Subject: Re: [PATCH]: double SAs are created when using AH and ESP together

On Fri, 2007-03-09 at 16:20 -0800, David Miller wrote:
> From: Joy Latten <>
> Date: Fri, 9 Mar 2007 17:14:54 -0600
> > I noticed that in xfrm_state_add we look for the larval SA in a few
> > places without checking for protocol match. So when using both 
> > AH and ESP, whichever one gets added first, deletes the larval SA. 
> > It seems AH always gets added first and ESP is always the larval 
> > SA's protocol since the xfrm->tmpl has it first. Thus causing the
> > additional km_query()
> > 
> > Adding the check eliminates the double SA creation. 
> > I know this may not seem like a complete solution and I will 
> > continue to test and be on the lookout, but isn't having the
> > check a good thing? So far I have tested SAs with just ESP, just AH
> > and with both and all seems ok. 
> > 
> > Please let me know if this patch is ok. 
> > My kernel was 2.6.20-rc3-git3.
> > 
> > Signed-off-by: Joy Latten <>
> Generally it looks OK, but I'm going to let this one sit for
> a while before I apply it so that other folks can review it
> too and spot any unintended consequences.
> In particular, I find it strance that we didn't check the
> protocol field all this time and I wonder whether that might
> be on purpose for some reason.

At least the first hunk of this patch used to be checked back in
net/ipv4/xfrm4_state.c in __xfrm4_find_acq and looks like it just was
accidentally forgotten when there was a transition to using

Since Joy found this problem on a 2.6.18 kernel originally which was
before this diff and had the proto check I'm guessing it is actually the
second hunk which is more relevant to the problem.


To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists