| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20201103120515.GA10759@gondor.apana.org.au>
Date: Tue, 3 Nov 2020 23:05:15 +1100
From: Herbert Xu <herbert@...dor.apana.org.au>
To: Anthony DeRossi <ajderossi@...il.com>
Cc: netdev@...r.kernel.org, steffen.klassert@...unet.com,
davem@...emloft.net, kuba@...nel.org
Subject: Re: [PATCH ipsec] xfrm: Pass template address family to
xfrm_state_look_at
On Mon, Nov 02, 2020 at 06:32:19PM -0800, Anthony DeRossi wrote:
> This fixes a regression where valid selectors are incorrectly skipped
> when xfrm_state_find is called with a non-matching address family (e.g.
> when using IPv6-in-IPv4 ESP in transport mode).
>
> The state's address family is matched against the template's family
> (encap_family) in xfrm_state_find before checking the selector in
> xfrm_state_look_at. The template's family should also be used for
> selector matching, otherwise valid selectors may be skipped.
>
> Fixes: e94ee171349d ("xfrm: Use correct address family in xfrm_state_find")
> Signed-off-by: Anthony DeRossi <ajderossi@...il.com>
> ---
> net/xfrm/xfrm_state.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
Your patch reintroduces the same bug that my patch was trying to
fix, namely that when you do the comparison on flow you must use
the original family and not some other value.
Cheers,
--
Email: Herbert Xu <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Powered by blists - more mailing lists