diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2007-11-14 00:39:08 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-01-28 17:53:43 -0500 |
commit | e40b3286158565909692e5914ea4a11bdbcc68c8 (patch) | |
tree | 5ef7b76f1e02406bb839e4887f6a79ff36dde39f /net/ipv6 | |
parent | 25ee3286dcbc830a833354bb1d15567956844813 (diff) |
[IPSEC]: Forbid BEET + ipcomp for now
While BEET can theoretically work with IPComp the current code can't
do that because it tries to construct a BEET mode tunnel type which
doesn't (and cannot) exist. In fact as it is it won't even attach a
tunnel object at all for BEET which is bogus.
To support this fully we'd also need to change the policy checks on
input to recognise a plain tunnel as a legal variant of an optional
BEET transform.
This patch simply fails such constructions for now.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6')
-rw-r--r-- | net/ipv6/ipcomp6.c | 19 |
1 files changed, 8 insertions, 11 deletions
diff --git a/net/ipv6/ipcomp6.c b/net/ipv6/ipcomp6.c index 0cd4056f9127..b276d04d6db5 100644 --- a/net/ipv6/ipcomp6.c +++ b/net/ipv6/ipcomp6.c | |||
@@ -190,7 +190,6 @@ static void ipcomp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, | |||
190 | static struct xfrm_state *ipcomp6_tunnel_create(struct xfrm_state *x) | 190 | static struct xfrm_state *ipcomp6_tunnel_create(struct xfrm_state *x) |
191 | { | 191 | { |
192 | struct xfrm_state *t = NULL; | 192 | struct xfrm_state *t = NULL; |
193 | u8 mode = XFRM_MODE_TUNNEL; | ||
194 | 193 | ||
195 | t = xfrm_state_alloc(); | 194 | t = xfrm_state_alloc(); |
196 | if (!t) | 195 | if (!t) |
@@ -204,9 +203,7 @@ static struct xfrm_state *ipcomp6_tunnel_create(struct xfrm_state *x) | |||
204 | memcpy(t->id.daddr.a6, x->id.daddr.a6, sizeof(struct in6_addr)); | 203 | memcpy(t->id.daddr.a6, x->id.daddr.a6, sizeof(struct in6_addr)); |
205 | memcpy(&t->sel, &x->sel, sizeof(t->sel)); | 204 | memcpy(&t->sel, &x->sel, sizeof(t->sel)); |
206 | t->props.family = AF_INET6; | 205 | t->props.family = AF_INET6; |
207 | if (x->props.mode == XFRM_MODE_BEET) | 206 | t->props.mode = x->props.mode; |
208 | mode = x->props.mode; | ||
209 | t->props.mode = mode; | ||
210 | memcpy(t->props.saddr.a6, x->props.saddr.a6, sizeof(struct in6_addr)); | 207 | memcpy(t->props.saddr.a6, x->props.saddr.a6, sizeof(struct in6_addr)); |
211 | 208 | ||
212 | if (xfrm_init_state(t)) | 209 | if (xfrm_init_state(t)) |
@@ -405,22 +402,22 @@ static int ipcomp6_init_state(struct xfrm_state *x) | |||
405 | if (x->encap) | 402 | if (x->encap) |
406 | goto out; | 403 | goto out; |
407 | 404 | ||
408 | err = -ENOMEM; | ||
409 | ipcd = kzalloc(sizeof(*ipcd), GFP_KERNEL); | ||
410 | if (!ipcd) | ||
411 | goto out; | ||
412 | |||
413 | x->props.header_len = 0; | 405 | x->props.header_len = 0; |
414 | switch (x->props.mode) { | 406 | switch (x->props.mode) { |
415 | case XFRM_MODE_BEET: | ||
416 | case XFRM_MODE_TRANSPORT: | 407 | case XFRM_MODE_TRANSPORT: |
417 | break; | 408 | break; |
418 | case XFRM_MODE_TUNNEL: | 409 | case XFRM_MODE_TUNNEL: |
419 | x->props.header_len += sizeof(struct ipv6hdr); | 410 | x->props.header_len += sizeof(struct ipv6hdr); |
411 | break; | ||
420 | default: | 412 | default: |
421 | goto error; | 413 | goto out; |
422 | } | 414 | } |
423 | 415 | ||
416 | err = -ENOMEM; | ||
417 | ipcd = kzalloc(sizeof(*ipcd), GFP_KERNEL); | ||
418 | if (!ipcd) | ||
419 | goto out; | ||
420 | |||
424 | mutex_lock(&ipcomp6_resource_mutex); | 421 | mutex_lock(&ipcomp6_resource_mutex); |
425 | if (!ipcomp6_alloc_scratches()) | 422 | if (!ipcomp6_alloc_scratches()) |
426 | goto error; | 423 | goto error; |