xfrm: Ensure policies always checked on XFRM-I input path
stable inclusion from stable-v5.10.186 commit bff7824db6811dbfa5212ab232786d3f40aa4fa8 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8L5XP Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=bff7824db6811dbfa5212ab232786d3f40aa4fa8 -------------------------------- [ Upstream commit a287f5b0 ] This change adds methods in the XFRM-I input path that ensures that policies are checked prior to processing of the subsequent decapsulated packet, after which the relevant policies may no longer be resolvable (due to changing src/dst/proto/etc). Notably, raw ESP/AH packets did not perform policy checks inherently, whereas all other encapsulated packets (UDP, TCP encapsulated) do policy checks after calling xfrm_input handling in the respective encapsulation layer. Fixes: b0355dbb ("Fix XFRM-I support for nested ESP tunnels") Test: Verified with additional Android Kernel Unit tests Test: Verified against Android CTS Signed-off-by:Benedict Wong <benedictwong@google.com> Signed-off-by:
Loading
Please sign in to comment