lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Y+861os+ZbBWVvvi@gondor.apana.org.au>
Date:   Fri, 17 Feb 2023 16:29:10 +0800
From:   Herbert Xu <herbert@...dor.apana.org.au>
To:     Sri Sakthi <srisakthi.s@...il.com>
Cc:     steffen.klassert@...unet.com, davem@...emloft.net,
        netdev@...r.kernel.org, srisakthi.subramaniam@...hos.com,
        david.george@...hos.com, Vimal.Agrawal@...hos.com
Subject: Re: xfrm: Pass on correct AF value to xfrm_state_find

On Fri, Feb 17, 2023 at 01:53:55PM +0530, Sri Sakthi wrote:
>
> configuration error and you can see similar configuration by strongswan in
> https://www.strongswan.org/testing/testresults/ikev2/compress/

Just because strongswan is doing it doesn't mean that it isn't
buggy.

Either have no policy selector on the ESP SA, or have one that
actually matches the inner flow.

The configuration you presented was only working by accident
previously as it used the wrong family to interpret the inner
flow addresses.  In your case, it would have interpreted the
inner addresses src 10.171.96.0/20 dst 10.171.80.0/20 as IPv6
addresses.

This is what triggered the original out-of-bound report and
my patch.

Cheers,
-- 
Email: Herbert Xu <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ