lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 15 Jan 2020 20:22:31 +0100
From:   Andrea Mayer <andrea.mayer@...roma2.it>
To:     "David S. Miller" <davem@...emloft.net>,
        Petr Machata <petrm@...lanox.com>,
        Stefano Brivio <sbrivio@...hat.com>,
        Eric Dumazet <edumazet@...gle.com>,
        Taehee Yoo <ap420073@...il.com>,
        Litao jiao <jiaolitao@...secom.com>,
        Roopa Prabhu <roopa@...ulusnetworks.com>,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Cc:     Andrea Mayer <andrea.mayer@...roma2.it>,
        Paolo Lungaroni <paolo.lungaroni@...t.it>
Subject: [net] vxlan: fix vxlan6_get_route() adding a call to xfrm_lookup_route()

currently IPSEC cannot be used to encrypt/decrypt IPv6 vxlan traffic.
The problem is that the vxlan module uses the vxlan6_get_route()
function to find out the route for transmitting an IPv6 packet, which in
turn uses ip6_dst_lookup() available in ip6_output.c.
Unfortunately ip6_dst_lookup() does not perform any xfrm route lookup,
so the xfrm framework cannot be used with vxlan6.

To fix the issue above, the vxlan6_get_route() function has been patched
by adding a missing call to xfrm_lookup_route(). Doing that, the
vxlan6_get_route() is now capable to lookup a route taking into account
also xfrm policies, if any.

Signed-off-by: Andrea Mayer <andrea.mayer@...roma2.it>
Signed-off-by: Paolo Lungaroni <paolo.lungaroni@...t.it>
---
 drivers/net/vxlan.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
index bf04bc2e68c2..bec55a911c4f 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -2306,6 +2306,11 @@ static struct dst_entry *vxlan6_get_route(struct vxlan_dev *vxlan,
 		return ERR_PTR(-ENETUNREACH);
 	}
 
+	ndst = xfrm_lookup_route(vxlan->net, ndst, flowi6_to_flowi(&fl6),
+				 sock6->sock->sk, 0);
+	if (IS_ERR_OR_NULL(ndst))
+		return ERR_PTR(-ENETUNREACH);
+
 	if (unlikely(ndst->dev == dev)) {
 		netdev_dbg(dev, "circular route to %pI6\n", daddr);
 		dst_release(ndst);
-- 
2.20.1

Powered by blists - more mailing lists