| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 9 Dec 2013 09:57:03 +0100 From: Steffen Klassert <steffen.klassert@...unet.com> To: Fan Du <fan.du@...driver.com> Cc: davem@...emloft.net, netdev@...r.kernel.org Subject: Re: [PATCH net-next 2/3] xfrm: clamp down spi range for IPComp when allocating spi On Mon, Dec 09, 2013 at 02:27:43PM +0800, Fan Du wrote: > On 2013年12月06日 19:42, Steffen Klassert wrote: > > > >Also, the spi range is user defined, we should respect the > >users configuration if the range is valid. > > Ok, then, speaking of respect user defined range, how about below informal > patch which only check the validity of the range? My original thoughts is CPI > is only 16bits wide, kernel itself can keep the CPI's validity. btw, v2 will > also fix patch1/3 align issue. > > diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c > index 6a9c402..2c6fb99 100644 > --- a/net/xfrm/xfrm_state.c > +++ b/net/xfrm/xfrm_state.c > @@ -1507,6 +1507,9 @@ int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high) > > err = -ENOENT; > > + if ((x->id.proto == IPPROTO_COMP) && (high > 0xFFFF)) > + goto unlock; > + This check is already done in verify_userspi_info() if xfrm_alloc_spi() is called from xfrm_alloc_userspi(). Instead of doing this check here again, we should implement an equivalent to verify_userspi_info() for pfkey. Then we are sure to have a valid range in any case. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists