aboutsummaryrefslogtreecommitdiffstats
path: root/net/xfrm
diff options
context:
space:
mode:
authorHerbert Xu <herbert@gondor.apana.org.au>2007-04-05 03:07:39 -0400
committerDavid S. Miller <davem@davemloft.net>2007-04-05 03:07:39 -0400
commit4c4d51a7316b164ba08af61aa0c124a88bc60450 (patch)
tree432e2d46513ddb61b0da9da14410b6888c947b70 /net/xfrm
parent60e5c166413f17d5ef00b4c1f398dbd44291309a (diff)
[IPSEC]: Reject packets within replay window but outside the bit mask
Up until this point we've accepted replay window settings greater than 32 but our bit mask can only accomodate 32 packets. Thus any packet with a sequence number within the window but outside the bit mask would be accepted. This patch causes those packets to be rejected instead. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/xfrm')
-rw-r--r--net/xfrm/xfrm_state.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 5c5f6dcab974..e3a0bcfa5df1 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -1371,7 +1371,8 @@ int xfrm_replay_check(struct xfrm_state *x, __be32 net_seq)
1371 return 0; 1371 return 0;
1372 1372
1373 diff = x->replay.seq - seq; 1373 diff = x->replay.seq - seq;
1374 if (diff >= x->props.replay_window) { 1374 if (diff >= min_t(unsigned int, x->props.replay_window,
1375 sizeof(x->replay.bitmap) * 8)) {
1375 x->stats.replay_window++; 1376 x->stats.replay_window++;
1376 return -EINVAL; 1377 return -EINVAL;
1377 } 1378 }