| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aDQhZ_ikHEt_pLn_@gondor.apana.org.au>
Date: Mon, 26 May 2025 16:08:07 +0800
From: Herbert Xu <herbert@...dor.apana.org.au>
To: Aakash Kumar S <saakashkumar@...vell.com>
Cc: netdev@...r.kernel.org, steffen.klassert@...unet.com,
davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
pabeni@...hat.com, horms@...nel.org, akamaluddin@...vell.com
Subject: Re: [PATCH] xfrm: Duplicate SPI Handling – IPsec-v3 Compliance Concern
On Mon, May 26, 2025 at 12:13:22PM +0530, Aakash Kumar S wrote:
>
> static inline unsigned int
> -__xfrm_spi_hash(const xfrm_address_t *daddr, __be32 spi, u8 proto,
> - unsigned short family, unsigned int hmask)
> +__xfrm_spi_hash(const xfrm_address_t * __maybe_unused daddr, __be32 spi,
> + u8 __maybe_unused proto, unsigned short __maybe_unused family,
> + unsigned int hmask)
> {
> - unsigned int h = (__force u32)spi ^ proto;
> - switch (family) {
> - case AF_INET:
> - h ^= __xfrm4_addr_hash(daddr);
> - break;
> - case AF_INET6:
> - h ^= __xfrm6_addr_hash(daddr);
> - break;
> - }
> + unsigned int h = (__force u32)spi;
> return (h ^ (h >> 10) ^ (h >> 20)) & hmask;
> }
I don't think this patch is sufficient. The logic around state
lookups need to be changed to exclude the destination address
comparison to achieve your objective.
It's also dangerous to unilaterally do this since existing deployments
could rely on the old behaviour. You'd need to add a toggle for
compatibility.
Cheers,
--
Email: Herbert Xu <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Powered by blists - more mailing lists