| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Jan 2023 11:02:03 +0100
From: Sabrina Dubroca <sd@...asysnail.net>
To: ehakim@...dia.com
Cc: dsahern@...nel.org, netdev@...r.kernel.org,
Raed Salem <raeds@...dia.com>
Subject: Re: [PATCH main 1/1] macsec: Fix Macsec replay protection
2023-01-10, 10:02:19 +0200, ehakim@...dia.com wrote:
> @@ -1516,7 +1515,7 @@ static int macsec_parse_opt(struct link_util *lu, int argc, char **argv,
> addattr_l(n, MACSEC_BUFLEN, IFLA_MACSEC_ICV_LEN,
> &cipher.icv_len, sizeof(cipher.icv_len));
>
> - if (replay_protect != -1) {
> + if (replay_protect) {
This will silently break disabling replay protection on an existing
device. This:
ip link set macsec0 type macsec replay off
would now appear to succeed but will not do anything. That's why I
used an int with -1 in iproute, and a U8 netlink attribute rather a
flag.
I think this would be a better fix:
if (replay_protect != -1) {
- addattr32(n, MACSEC_BUFLEN, IFLA_MACSEC_WINDOW, window);
+ if (replay_protect)
+ addattr32(n, MACSEC_BUFLEN, IFLA_MACSEC_WINDOW, window);
addattr8(n, MACSEC_BUFLEN, IFLA_MACSEC_REPLAY_PROTECT,
replay_protect);
}
Does that work for all your test cases?
> addattr32(n, MACSEC_BUFLEN, IFLA_MACSEC_WINDOW, window);
> addattr8(n, MACSEC_BUFLEN, IFLA_MACSEC_REPLAY_PROTECT,
> replay_protect);
--
Sabrina
Powered by blists - more mailing lists