lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 27 Dec 2018 13:32:14 +0000
From:   Raed Salem <raeds@...lanox.com>
To:     "steffen.klassert@...unet.com" <steffen.klassert@...unet.com>
CC:     Boris Pismenny <borisp@...lanox.com>,
        Yossi Kuperman <yossiku@...lanox.com>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "herbert@...dor.apana.org.au" <herbert@...dor.apana.org.au>,
        "davem@...emloft.net" <davem@...emloft.net>
Subject: [PATCH ipsec] xfrm: fix non-GRO codepath for IPsec hardware
 offloading

In xfrm_input() when called with IPsec hardware offload done and without GRO, encap_type == 0, we end up skipping esp_input_tail as crypto_done is set only within GRO code path, fix by move out crypto_done assignment from the GRO code path and change code accordingly

Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API")
Signed-off-by: Raed Salem <raeds@...lanox.com>
Reviewed-by: Yossi Kuperman< yossiku@...lanox.com>
Reviewed-by: Boris Pismenny <borisp@...lanox.com>
---
 net/xfrm/xfrm_input.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index d563590..6de8f3c 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -234,10 +234,10 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 	int decaps = 0;
 	int async = 0;
 	bool xfrm_gro = false;
-	bool crypto_done = false;
 	struct xfrm_offload *xo = xfrm_offload(skb);
+	bool crypto_done = (xo && (xo->flags & CRYPTO_DONE));
 
-	if (encap_type < 0) {
+	if (encap_type < 0 || crypto_done) {
 		x = xfrm_input_state(skb);
 
 		if (unlikely(x->km.state != XFRM_STATE_VALID)) { @@ -262,8 +262,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 		encap_type = 0;
 		seq = XFRM_SPI_SKB_CB(skb)->seq;
 
-		if (xo && (xo->flags & CRYPTO_DONE)) {
-			crypto_done = true;
+		if (crypto_done) {
 			family = XFRM_SPI_SKB_CB(skb)->family;
 
 			if (!(xo->status & CRYPTO_SUCCESS)) {
--
1.9.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ