lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 27 Jul 2020 11:40:09 +0200
From:   Tobias Brunner <>
To:     Steffen Klassert <>,
        Sabrina Dubroca <>
Cc:, Paul Wouters <>,
        Andrew Cagney <>
Subject: Re: [RFC PATCH ipsec] xfrm: don't pass too short packets to userspace
 with ESPINUDP encap

>> Currently, any UDP-encapsulated packet of 8 bytes or less will be
>> passed to userspace, whether it starts with the non-ESP prefix or
>> not (except keepalives). This includes:
>>  - messages of 1, 2, 3 bytes
>>  - messages of 4 to 8 bytes not starting with 00 00 00 00
>> This patch changes that behavior, so that only properly-formed non-ESP
>> messages are passed to userspace. Messages of 8 bytes or less that
>> don't contain a full non-ESP prefix followed by some data (at least
>> one byte) will be dropped and counted as XfrmInHdrError.
> I'm ok with that change. But it affects userspace, so the *swan
> people have to tell if that's ok for them.

Yes, no problem from strongSwan's side.  Packets shorter than 4 bytes
are immediately dropped anyway, the others when attempting to parse as
IKE messages (already the initiator IKE SPI, with which they start, is 8
bytes long).


Powered by blists - more mailing lists