diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2007-11-14 00:39:08 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-01-28 17:53:43 -0500 |
commit | e40b3286158565909692e5914ea4a11bdbcc68c8 (patch) | |
tree | 5ef7b76f1e02406bb839e4887f6a79ff36dde39f /net/ipv4 | |
parent | 25ee3286dcbc830a833354bb1d15567956844813 (diff) |
[IPSEC]: Forbid BEET + ipcomp for now
While BEET can theoretically work with IPComp the current code can't
do that because it tries to construct a BEET mode tunnel type which
doesn't (and cannot) exist. In fact as it is it won't even attach a
tunnel object at all for BEET which is bogus.
To support this fully we'd also need to change the policy checks on
input to recognise a plain tunnel as a legal variant of an optional
BEET transform.
This patch simply fails such constructions for now.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4')
-rw-r--r-- | net/ipv4/ipcomp.c | 20 |
1 files changed, 12 insertions, 8 deletions
diff --git a/net/ipv4/ipcomp.c b/net/ipv4/ipcomp.c index 2c44a94c2135..f4af99ad8fdb 100644 --- a/net/ipv4/ipcomp.c +++ b/net/ipv4/ipcomp.c | |||
@@ -182,7 +182,6 @@ static void ipcomp4_err(struct sk_buff *skb, u32 info) | |||
182 | static struct xfrm_state *ipcomp_tunnel_create(struct xfrm_state *x) | 182 | static struct xfrm_state *ipcomp_tunnel_create(struct xfrm_state *x) |
183 | { | 183 | { |
184 | struct xfrm_state *t; | 184 | struct xfrm_state *t; |
185 | u8 mode = XFRM_MODE_TUNNEL; | ||
186 | 185 | ||
187 | t = xfrm_state_alloc(); | 186 | t = xfrm_state_alloc(); |
188 | if (t == NULL) | 187 | if (t == NULL) |
@@ -193,9 +192,7 @@ static struct xfrm_state *ipcomp_tunnel_create(struct xfrm_state *x) | |||
193 | t->id.daddr.a4 = x->id.daddr.a4; | 192 | t->id.daddr.a4 = x->id.daddr.a4; |
194 | memcpy(&t->sel, &x->sel, sizeof(t->sel)); | 193 | memcpy(&t->sel, &x->sel, sizeof(t->sel)); |
195 | t->props.family = AF_INET; | 194 | t->props.family = AF_INET; |
196 | if (x->props.mode == XFRM_MODE_BEET) | 195 | t->props.mode = x->props.mode; |
197 | mode = x->props.mode; | ||
198 | t->props.mode = mode; | ||
199 | t->props.saddr.a4 = x->props.saddr.a4; | 196 | t->props.saddr.a4 = x->props.saddr.a4; |
200 | t->props.flags = x->props.flags; | 197 | t->props.flags = x->props.flags; |
201 | 198 | ||
@@ -389,15 +386,22 @@ static int ipcomp_init_state(struct xfrm_state *x) | |||
389 | if (x->encap) | 386 | if (x->encap) |
390 | goto out; | 387 | goto out; |
391 | 388 | ||
389 | x->props.header_len = 0; | ||
390 | switch (x->props.mode) { | ||
391 | case XFRM_MODE_TRANSPORT: | ||
392 | break; | ||
393 | case XFRM_MODE_TUNNEL: | ||
394 | x->props.header_len += sizeof(struct iphdr); | ||
395 | break; | ||
396 | default: | ||
397 | goto out; | ||
398 | } | ||
399 | |||
392 | err = -ENOMEM; | 400 | err = -ENOMEM; |
393 | ipcd = kzalloc(sizeof(*ipcd), GFP_KERNEL); | 401 | ipcd = kzalloc(sizeof(*ipcd), GFP_KERNEL); |
394 | if (!ipcd) | 402 | if (!ipcd) |
395 | goto out; | 403 | goto out; |
396 | 404 | ||
397 | x->props.header_len = 0; | ||
398 | if (x->props.mode == XFRM_MODE_TUNNEL) | ||
399 | x->props.header_len += sizeof(struct iphdr); | ||
400 | |||
401 | mutex_lock(&ipcomp_resource_mutex); | 405 | mutex_lock(&ipcomp_resource_mutex); |
402 | if (!ipcomp_alloc_scratches()) | 406 | if (!ipcomp_alloc_scratches()) |
403 | goto error; | 407 | goto error; |