subject:"Re\: \[IPSEC\]\: Fix reversed ICMP6 policy check"

Re: [IPSEC]: Fix reversed ICMP6 policy check

2007-12-13 Thread Jarek Poplawski

On 13-12-2007 03:49, Herbert Xu wrote:
 On Thu, Dec 13, 2007 at 09:58:56AM +0800, Herbert Xu wrote:
 [IPSEC]: Fix reversed ICMP6 policy check
 
 While that won't crash anymore, it's still logically wrong.
 
 Here's a more complete fix.

...even more than this!

Since more than a year each time I read your patches I wonder what
kind of special attachments you use they are so unreadble (blurred)
in Mozilla Thunderbird (but, I was never so desperate to study all
these mail RFCs). And now - BINGO! So, they are simply treated as
signatures! Nice trick! But, I see, you forgot about something this
time, and now it's all clear! (Actually, I probably need one more
year to find, how to turn off this sh...)

Thanks,
Jarek P.
--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [IPSEC]: Fix reversed ICMP6 policy check

2007-12-12 Thread David Miller

From: Herbert Xu [EMAIL PROTECTED]
Date: Thu, 13 Dec 2007 09:58:56 +0800

 [IPSEC]: Fix reversed ICMP6 policy check

 The policy check I added for ICMP on IPv6 is reversed.  This
 patch fixes that.

 It also adds an skb-sp check so that unprotected packets that
 fail the policy check do not crash the machine.

 Signed-off-by: Herbert Xu [EMAIL PROTECTED]

Applied, thanks Herbert.
--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [IPSEC]: Fix reversed ICMP6 policy check

2007-12-12 Thread Herbert Xu

On Thu, Dec 13, 2007 at 09:58:56AM +0800, Herbert Xu wrote:

 [IPSEC]: Fix reversed ICMP6 policy check

While that won't crash anymore, it's still logically wrong.

Here's a more complete fix.

[IPSEC]: Fix reversed ICMP6 policy check

The policy check I added for ICMP on IPv6 is reversed.  We were also
letting packets through incorrectly if the ICMP flag isn't set.  This
patch fixes that.

It also adds an skb-sp check so that unprotected packets that
fail the policy check do not crash the machine.

Signed-off-by: Herbert Xu [EMAIL PROTECTED]

diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 4e3bfcd..ccdef9a 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -978,10 +978,13 @@ int icmp_rcv(struct sk_buff *skb)
struct icmphdr *icmph;
struct rtable *rt = (struct rtable *)skb-dst;
 
-   if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb) 
-   skb-sp-xvec[skb-sp-len - 1]-props.flags  XFRM_STATE_ICMP) {
+   if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) {
int nh;
 
+   if (!(skb-sp  skb-sp-xvec[skb-sp-len - 1]-props.flags 
+XFRM_STATE_ICMP))
+   goto drop;
+
if (!pskb_may_pull(skb, sizeof(*icmph) + sizeof(struct iphdr)))
goto drop;
 
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 478ee77..bbf4162 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -646,10 +646,13 @@ static int icmpv6_rcv(struct sk_buff *skb)
struct icmp6hdr *hdr;
int type;
 
-   if (xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb) 
-   skb-sp-xvec[skb-sp-len - 1]-props.flags  XFRM_STATE_ICMP) {
+   if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
int nh;
 
+   if (!(skb-sp  skb-sp-xvec[skb-sp-len - 1]-props.flags 
+XFRM_STATE_ICMP))
+   goto drop_no_count;
+
if (!pskb_may_pull(skb, sizeof(*hdr) + sizeof(*orig_hdr)))
goto drop_no_count;
 

Thanks,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmVHI~} [EMAIL PROTECTED]
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [IPSEC]: Fix reversed ICMP6 policy check

2007-12-12 Thread David Miller

From: Herbert Xu [EMAIL PROTECTED]
Date: Thu, 13 Dec 2007 10:49:18 +0800

 On Thu, Dec 13, 2007 at 09:58:56AM +0800, Herbert Xu wrote:
 
  [IPSEC]: Fix reversed ICMP6 policy check
 
 While that won't crash anymore, it's still logically wrong.
 
 Here's a more complete fix.

I already applied the first one, please send a relative
fixup which I'll combine as appropriate next rebase.
--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [IPSEC]: Fix reversed ICMP6 policy check

2007-12-12 Thread Herbert Xu

On Wed, Dec 12, 2007 at 06:48:30PM -0800, David Miller wrote:
 From: Herbert Xu [EMAIL PROTECTED]
 Date: Thu, 13 Dec 2007 09:58:56 +0800
 
  [IPSEC]: Fix reversed ICMP6 policy check
 
 Applied, thanks Herbert.

You're too quick :) Before you ask for an incremental patch, here's
a preemptive strike :)

[IPSEC]: Do not let packets pass when ICMP flag is off

This fixes a logical error in ICMP policy checks which lets
packets through if the state ICMP flag is off.

Signed-off-by: Herbert Xu [EMAIL PROTECTED]

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmVHI~} [EMAIL PROTECTED]
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 132e879..ccdef9a 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -978,10 +978,13 @@ int icmp_rcv(struct sk_buff *skb)
struct icmphdr *icmph;
struct rtable *rt = (struct rtable *)skb-dst;
 
-   if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)  skb-sp 
-   skb-sp-xvec[skb-sp-len - 1]-props.flags  XFRM_STATE_ICMP) {
+   if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) {
int nh;
 
+   if (!(skb-sp  skb-sp-xvec[skb-sp-len - 1]-props.flags 
+XFRM_STATE_ICMP))
+   goto drop;
+
if (!pskb_may_pull(skb, sizeof(*icmph) + sizeof(struct iphdr)))
goto drop;
 
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 64d78c9..bbf4162 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -646,10 +646,13 @@ static int icmpv6_rcv(struct sk_buff *skb)
struct icmp6hdr *hdr;
int type;
 
-   if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)  skb-sp 
-   skb-sp-xvec[skb-sp-len - 1]-props.flags  XFRM_STATE_ICMP) {
+   if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
int nh;
 
+   if (!(skb-sp  skb-sp-xvec[skb-sp-len - 1]-props.flags 
+XFRM_STATE_ICMP))
+   goto drop_no_count;
+
if (!pskb_may_pull(skb, sizeof(*hdr) + sizeof(*orig_hdr)))
goto drop_no_count;
 
--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [IPSEC]: Fix reversed ICMP6 policy check

2007-12-12 Thread David Miller

From: Herbert Xu [EMAIL PROTECTED]
Date: Thu, 13 Dec 2007 10:51:56 +0800

 You're too quick :) Before you ask for an incremental patch, here's
 a preemptive strike :)

Hehe :)

 [IPSEC]: Do not let packets pass when ICMP flag is off
 
 This fixes a logical error in ICMP policy checks which lets
 packets through if the state ICMP flag is off.
 
 Signed-off-by: Herbert Xu [EMAIL PROTECTED]

Applied, thanks!
--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [IPSEC]: Fix reversed ICMP6 policy check

Re: [IPSEC]: Fix reversed ICMP6 policy check

Re: [IPSEC]: Fix reversed ICMP6 policy check

Re: [IPSEC]: Fix reversed ICMP6 policy check

Re: [IPSEC]: Fix reversed ICMP6 policy check

Re: [IPSEC]: Fix reversed ICMP6 policy check

6 matches

Site Navigation

Mail list logo

Footer information