tmakin/ack-tegra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

xfrm: prevent high SEQ input in non-ESN mode

Browse Source 
[ Upstream commit e3aa43a50a6455831e3c32dabc7ece38d9cd9d05 ]

In non-ESN mode, the SEQ numbers are limited to 32 bits and seq_hi/oseq_hi
are not used. So make sure that user gets proper error message, in case
such assignment occurred.

Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Leon Romanovsky
2025-02-05 20:27:49 +02:00
committed by Greg Kroah-Hartman
parent bbd6dc1fb6
commit 06daedb443
1 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
net/xfrm/xfrm_user.c
+12
View File
@@ -178,6 +178,12 @@ static inline int verify_replay(struct xfrm_usersa_info *p,
"Replay seq and seq_hi should be 0 for output SA"); "Replay seq and seq_hi should be 0 for output SA");
return -EINVAL; return -EINVAL;
} }
if (rs->oseq_hi && !(p->flags & XFRM_STATE_ESN)) {
NL_SET_ERR_MSG(
extack,
"Replay oseq_hi should be 0 in non-ESN mode for output SA");
return -EINVAL;
}
if (rs->bmp_len) { if (rs->bmp_len) {
NL_SET_ERR_MSG(extack, "Replay bmp_len should 0 for output SA"); NL_SET_ERR_MSG(extack, "Replay bmp_len should 0 for output SA");
return -EINVAL; return -EINVAL;
@@ -190,6 +196,12 @@ static inline int verify_replay(struct xfrm_usersa_info *p,
"Replay oseq and oseq_hi should be 0 for input SA"); "Replay oseq and oseq_hi should be 0 for input SA");
return -EINVAL; return -EINVAL;
} }
if (rs->seq_hi && !(p->flags & XFRM_STATE_ESN)) {
NL_SET_ERR_MSG(
extack,
"Replay seq_hi should be 0 in non-ESN mode for input SA");
return -EINVAL;
}
} }
return 0; return 0;