lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Jan 2020 20:22:31 +0100 From: Andrea Mayer <andrea.mayer@...roma2.it> To: "David S. Miller" <davem@...emloft.net>, Petr Machata <petrm@...lanox.com>, Stefano Brivio <sbrivio@...hat.com>, Eric Dumazet <edumazet@...gle.com>, Taehee Yoo <ap420073@...il.com>, Litao jiao <jiaolitao@...secom.com>, Roopa Prabhu <roopa@...ulusnetworks.com>, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Cc: Andrea Mayer <andrea.mayer@...roma2.it>, Paolo Lungaroni <paolo.lungaroni@...t.it> Subject: [net] vxlan: fix vxlan6_get_route() adding a call to xfrm_lookup_route() currently IPSEC cannot be used to encrypt/decrypt IPv6 vxlan traffic. The problem is that the vxlan module uses the vxlan6_get_route() function to find out the route for transmitting an IPv6 packet, which in turn uses ip6_dst_lookup() available in ip6_output.c. Unfortunately ip6_dst_lookup() does not perform any xfrm route lookup, so the xfrm framework cannot be used with vxlan6. To fix the issue above, the vxlan6_get_route() function has been patched by adding a missing call to xfrm_lookup_route(). Doing that, the vxlan6_get_route() is now capable to lookup a route taking into account also xfrm policies, if any. Signed-off-by: Andrea Mayer <andrea.mayer@...roma2.it> Signed-off-by: Paolo Lungaroni <paolo.lungaroni@...t.it> --- drivers/net/vxlan.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c index bf04bc2e68c2..bec55a911c4f 100644 --- a/drivers/net/vxlan.c +++ b/drivers/net/vxlan.c @@ -2306,6 +2306,11 @@ static struct dst_entry *vxlan6_get_route(struct vxlan_dev *vxlan, return ERR_PTR(-ENETUNREACH); } + ndst = xfrm_lookup_route(vxlan->net, ndst, flowi6_to_flowi(&fl6), + sock6->sock->sk, 0); + if (IS_ERR_OR_NULL(ndst)) + return ERR_PTR(-ENETUNREACH); + if (unlikely(ndst->dev == dev)) { netdev_dbg(dev, "circular route to %pI6\n", daddr); dst_release(ndst); -- 2.20.1
Powered by blists - more mailing lists