aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHerbert Xu <herbert@gondor.apana.org.au>2007-11-14 00:39:08 -0500
committerDavid S. Miller <davem@davemloft.net>2008-01-28 17:53:43 -0500
commite40b3286158565909692e5914ea4a11bdbcc68c8 (patch)
tree5ef7b76f1e02406bb839e4887f6a79ff36dde39f
parent25ee3286dcbc830a833354bb1d15567956844813 (diff)
[IPSEC]: Forbid BEET + ipcomp for now
While BEET can theoretically work with IPComp the current code can't do that because it tries to construct a BEET mode tunnel type which doesn't (and cannot) exist. In fact as it is it won't even attach a tunnel object at all for BEET which is bogus. To support this fully we'd also need to change the policy checks on input to recognise a plain tunnel as a legal variant of an optional BEET transform. This patch simply fails such constructions for now. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat
-rw-r--r--net/ipv4/ipcomp.c20
-rw-r--r--net/ipv6/ipcomp6.c19
2 files changed, 20 insertions, 19 deletions
diff --git a/net/ipv4/ipcomp.c b/net/ipv4/ipcomp.c
index 2c44a94c213..f4af99ad8fd 100644
--- a/net/ipv4/ipcomp.c
+++ b/net/ipv4/ipcomp.c
@@ -182,7 +182,6 @@ static void ipcomp4_err(struct sk_buff *skb, u32 info)
182static struct xfrm_state *ipcomp_tunnel_create(struct xfrm_state *x) 182static struct xfrm_state *ipcomp_tunnel_create(struct xfrm_state *x)
183{ 183{
184 struct xfrm_state *t; 184 struct xfrm_state *t;
185 u8 mode = XFRM_MODE_TUNNEL;
186 185
187 t = xfrm_state_alloc(); 186 t = xfrm_state_alloc();
188 if (t == NULL) 187 if (t == NULL)
@@ -193,9 +192,7 @@ static struct xfrm_state *ipcomp_tunnel_create(struct xfrm_state *x)
193 t->id.daddr.a4 = x->id.daddr.a4; 192 t->id.daddr.a4 = x->id.daddr.a4;
194 memcpy(&t->sel, &x->sel, sizeof(t->sel)); 193 memcpy(&t->sel, &x->sel, sizeof(t->sel));
195 t->props.family = AF_INET; 194 t->props.family = AF_INET;
196 if (x->props.mode == XFRM_MODE_BEET) 195 t->props.mode = x->props.mode;
197 mode = x->props.mode;
198 t->props.mode = mode;
199 t->props.saddr.a4 = x->props.saddr.a4; 196 t->props.saddr.a4 = x->props.saddr.a4;
200 t->props.flags = x->props.flags; 197 t->props.flags = x->props.flags;
201 198
@@ -389,15 +386,22 @@ static int ipcomp_init_state(struct xfrm_state *x)
389 if (x->encap) 386 if (x->encap)
390 goto out; 387 goto out;
391 388
389 x->props.header_len = 0;
390 switch (x->props.mode) {
391 case XFRM_MODE_TRANSPORT:
392 break;
393 case XFRM_MODE_TUNNEL:
394 x->props.header_len += sizeof(struct iphdr);
395 break;
396 default:
397 goto out;
398 }
399
392 err = -ENOMEM; 400 err = -ENOMEM;
393 ipcd = kzalloc(sizeof(*ipcd), GFP_KERNEL); 401 ipcd = kzalloc(sizeof(*ipcd), GFP_KERNEL);
394 if (!ipcd) 402 if (!ipcd)
395 goto out; 403 goto out;
396 404
397 x->props.header_len = 0;
398 if (x->props.mode == XFRM_MODE_TUNNEL)
399 x->props.header_len += sizeof(struct iphdr);
400
401 mutex_lock(&ipcomp_resource_mutex); 405 mutex_lock(&ipcomp_resource_mutex);
402 if (!ipcomp_alloc_scratches()) 406 if (!ipcomp_alloc_scratches())
403 goto error; 407 goto error;
diff --git a/net/ipv6/ipcomp6.c b/net/ipv6/ipcomp6.c
index 0cd4056f912..b276d04d6db 100644
--- a/net/ipv6/ipcomp6.c
+++ b/net/ipv6/ipcomp6.c
@@ -190,7 +190,6 @@ static void ipcomp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
190static struct xfrm_state *ipcomp6_tunnel_create(struct xfrm_state *x) 190static struct xfrm_state *ipcomp6_tunnel_create(struct xfrm_state *x)
191{ 191{
192 struct xfrm_state *t = NULL; 192 struct xfrm_state *t = NULL;
193 u8 mode = XFRM_MODE_TUNNEL;
194 193
195 t = xfrm_state_alloc(); 194 t = xfrm_state_alloc();
196 if (!t) 195 if (!t)
@@ -204,9 +203,7 @@ static struct xfrm_state *ipcomp6_tunnel_create(struct xfrm_state *x)
204 memcpy(t->id.daddr.a6, x->id.daddr.a6, sizeof(struct in6_addr)); 203 memcpy(t->id.daddr.a6, x->id.daddr.a6, sizeof(struct in6_addr));
205 memcpy(&t->sel, &x->sel, sizeof(t->sel)); 204 memcpy(&t->sel, &x->sel, sizeof(t->sel));
206 t->props.family = AF_INET6; 205 t->props.family = AF_INET6;
207 if (x->props.mode == XFRM_MODE_BEET) 206 t->props.mode = x->props.mode;
208 mode = x->props.mode;
209 t->props.mode = mode;
210 memcpy(t->props.saddr.a6, x->props.saddr.a6, sizeof(struct in6_addr)); 207 memcpy(t->props.saddr.a6, x->props.saddr.a6, sizeof(struct in6_addr));
211 208
212 if (xfrm_init_state(t)) 209 if (xfrm_init_state(t))
@@ -405,22 +402,22 @@ static int ipcomp6_init_state(struct xfrm_state *x)
405 if (x->encap) 402 if (x->encap)
406 goto out; 403 goto out;
407 404
408 err = -ENOMEM;
409 ipcd = kzalloc(sizeof(*ipcd), GFP_KERNEL);
410 if (!ipcd)
411 goto out;
412
413 x->props.header_len = 0; 405 x->props.header_len = 0;
414 switch (x->props.mode) { 406 switch (x->props.mode) {
415 case XFRM_MODE_BEET:
416 case XFRM_MODE_TRANSPORT: 407 case XFRM_MODE_TRANSPORT:
417 break; 408 break;
418 case XFRM_MODE_TUNNEL: 409 case XFRM_MODE_TUNNEL:
419 x->props.header_len += sizeof(struct ipv6hdr); 410 x->props.header_len += sizeof(struct ipv6hdr);
411 break;
420 default: 412 default:
421 goto error; 413 goto out;
422 } 414 }
423 415
416 err = -ENOMEM;
417 ipcd = kzalloc(sizeof(*ipcd), GFP_KERNEL);
418 if (!ipcd)
419 goto out;
420
424 mutex_lock(&ipcomp6_resource_mutex); 421 mutex_lock(&ipcomp6_resource_mutex);
425 if (!ipcomp6_alloc_scratches()) 422 if (!ipcomp6_alloc_scratches())
426 goto error; 423 goto error;
generated by cgit v1.2.2 (git 2.25.0) at 2025-01-15 10:47:19 -0500