lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 27 Jan 2020 15:31:14 +0100
From:   Thomas Egerer <thomas.egerer@...unet.com>
To:     <netdev@...r.kernel.org>
Subject: [PATCH net] xfrm: Interpret XFRM_INF as 32 bit value for non-ESN
 states

Currently, when left unconfigured, hard and soft packet limit are set to
XFRM_INF ((__u64)~0). This can be problematic for non-ESN states, as
their 'natural' packet limit is 2^32 - 1 packets. When reached, instead
of creating an expire event, the states become unusable and increase
their respective 'state expired' counter in the xfrm statistics. The
only way for them to actually expire is based on their lifetime limits.

This patch reduces the packet limit of non-ESN states with XFRM_INF as
their soft/hard packet limit to their maximum achievable sequence
number in order to trigger an expire, which can then be used by an IKE
daemon to reestablish the connection.

Signed-off-by: Thomas Egerer <thomas.egerer@...unet.com>
---
 net/xfrm/xfrm_user.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index b88ba45..84d4008 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -505,6 +505,13 @@ static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *
 
 	if (!x->sel.family && !(p->flags & XFRM_STATE_AF_UNSPEC))
 		x->sel.family = p->family;
+
+	if ((x->props.flags & XFRM_STATE_ESN) == 0 {
+		if (x->lft.soft_packet_limit == XFRM_INF)
+			x->lft.soft_packet_limit == (__u32)~0;
+		if (x->lft.hard_packet_limit == XFRM_INF)
+			x->lft.hard_packet_limit == (__u32)~0;
+	}
 }
 
 /*
-- 
2.6.4

Powered by blists - more mailing lists