| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Aug 2017 11:03:41 +0200
From: Jakub Sitnicki <jkbs@...hat.com>
To: Jonathan Basseri <misterikkit@...gle.com>
Cc: netdev@...r.kernel.org, davem@...emloft.net,
steffen.klassert@...unet.com, lorenzo@...gle.com
Subject: Re: [PATCH net] xfrm: Clear sk_dst_cache when applying per-socket
policy.
On Tue, 15 Aug 2017 15:25:10 -0700
Jonathan Basseri <misterikkit@...gle.com> wrote:
> If an IPv6 socket has a valid dst cache, then xfrm_lookup_route will get
> skipped. However, the cache is not invalidated when applying policy to a
> socket (i.e. IPV6_XFRM_POLICY). The result is that new policies are
> sometimes ignored on those sockets.
>
> This can be demonstrated like so,
> 1. Create UDPv6 socket.
> 2. connect() the socket.
> 3. Apply an outbound XFRM policy to the socket.
> 4. send() data on the socket.
>
> Packets will continue to be sent in the clear instead of matching an
> xfrm or returning a no-match error (EAGAIN). This affects calls to
> send() and not sendto().
>
> Note: Creating normal XFRM policies should have a similar effect on
> sk_dst_cache entries that match the policy, but that is not fixed in
> this patch.
>
> Fixes: 00bc0ef5880d ("ipv6: Skip XFRM lookup if dst_entry in socket cache is valid")
> Tested: https://android-review.googlesource.com/418659
> Signed-off-by: Jonathan Basseri <misterikkit@...gle.com>
> ---
Thank you for the fix.
Acked-by: Jakub Sitnicki <jkbs@...hat.com>
Powered by blists - more mailing lists