| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1402288645-6904-1-git-send-email-huizhang@marvell.com> Date: Mon, 9 Jun 2014 12:37:25 +0800 From: Hui Zhang <huizhang@...vell.com> To: <netdev@...r.kernel.org> CC: <alan@...rguk.ukuu.org.uk>, <davem@...emloft.net>, <sergei.shtylyov@...entembedded.com>, <nickcave.zhang@...il.com>, <huizhang@...vell.com> Subject: [PATCH] net: ipv6: Fixed up ipsec packet be re-routing issue Bug report on https://bugzilla.kernel.org/show_bug.cgi?id=75781 When a local output ipsec packet match the mangle table rule, and be set mark value, the packet will be route again in route_me_harder -> _session_decoder6 In this case, the nhoff in CB of skb was still the default value 0. So the protocal match can't success and the packet can't match correct SA rule,and then the packet be send out in plaintext. To fixed up the issue. The CB->nhoff must be set. Signed-off-by: Hui Zhang <huizhang@...vell.com> --- net/ipv6/output_core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c index 827f795..589f6b9 100644 --- a/net/ipv6/output_core.c +++ b/net/ipv6/output_core.c @@ -106,6 +106,7 @@ int __ip6_local_out(struct sk_buff *skb) if (len > IPV6_MAXPLEN) len = 0; ipv6_hdr(skb)->payload_len = htons(len); + IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr); return nf_hook(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL, skb_dst(skb)->dev, dst_output); -- 1.7.9.5 -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists