| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 31 Mar 2023 10:24:20 +0200
From: Steffen Klassert <steffen.klassert@...unet.com>
To: Tobias Brunner <tobias@...ongswan.org>
CC: <netdev@...r.kernel.org>, <devel@...ux-ipsec.org>,
Hyunwoo Kim <v4bel@...ori.io>,
Tudor Ambarus <tudordana@...gle.com>,
Eric Dumazet <edumazet@...gle.com>
Subject: Re: [devel-ipsec] [PATCH ipsec] xfrm: Don't allow optional
intermediate templates that changes the address family
On Fri, Mar 31, 2023 at 10:19:33AM +0200, Tobias Brunner wrote:
> > When an optional intermediate template changes the address family,
> > it is unclear which family the next template should have. This can
> > lead to misinterpretations of IPv4/IPv6 addresses. So reject
> > optional intermediate templates on insertion time.
>
> This change breaks the installation of IPv4-in-IPv6 (or vice-versa) policies
> with IPComp, where the optional IPComp template and SA is installed with
> tunnel mode (while the ESP template/SA that follows is installed in
> transport mode) and the address family is that of the SA not that of the
> policy.
>
> Note that mixed-family scenarios with IPComp are currently broken due to an
> address family issue, but that's a problem in xfrm_tmpl_resolve_one() that
> occurs later when packets are actually matched against policies. There is a
> simple patch for it that I haven't got around to submit to the list yet.
Grmpf, I did a lot of tests, but not IPComp. This means, it might be
not so easy to fix the memory corruption I tried to fix with this.
Thanks for the heads up!
Powered by blists - more mailing lists