| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aCwYj1F3LSUVZRg7@gauss3.secunet.de> Date: Tue, 20 May 2025 07:52:15 +0200 From: Steffen Klassert <steffen.klassert@...unet.com> To: Leon Romanovsky <leon@...nel.org> CC: Leon Romanovsky <leonro@...dia.com>, "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Herbert Xu <herbert@...dor.apana.org.au>, Jakub Kicinski <kuba@...nel.org>, <netdev@...r.kernel.org>, Paolo Abeni <pabeni@...hat.com> Subject: Re: [PATCH ipsec-next] xfrm: validate assignment of maximal possible SEQ number On Tue, May 13, 2025 at 01:56:22PM +0300, Leon Romanovsky wrote: > From: Leon Romanovsky <leonro@...dia.com> > > Users can set any seq/seq_hi/oseq/oseq_hi values. The XFRM core code > doesn't prevent from them to set even 0xFFFFFFFF, however this value > will cause for traffic drop. > > Is is happening because SEQ numbers here mean that packet with such > number was processed and next number should be sent on the wire. In this > case, the next number will be 0, and it means overflow which causes to > (expected) packet drops. > > While it can be considered as misconfiguration and handled by XFRM > datapath in the same manner as any other SEQ number, let's add > validation to easy for packet offloads implementations which need to > configure HW with next SEQ to send and not with current SEQ like it is > done in core code. > > Signed-off-by: Leon Romanovsky <leonro@...dia.com> Applied, thanks Leon!
Powered by blists - more mailing lists