xfrm: Ensure policies always checked on XFRM-I input path (a287f5b0) · Commits · Mirrors / github.com / raspberrypi_linux · GitLab

Commit a287f5b0 authored May 10, 2023 by

Benedict Wong Committed by Steffen Klassert May 21, 2023

xfrm: Ensure policies always checked on XFRM-I input path



This change adds methods in the XFRM-I input path that ensures that
policies are checked prior to processing of the subsequent decapsulated
packet, after which the relevant policies may no longer be resolvable
(due to changing src/dst/proto/etc).

Notably, raw ESP/AH packets did not perform policy checks inherently,
whereas all other encapsulated packets (UDP, TCP encapsulated) do policy
checks after calling xfrm_input handling in the respective encapsulation
layer.

Fixes: b0355dbb ("Fix XFRM-I support for nested ESP tunnels")
Test: Verified with additional Android Kernel Unit tests
Test: Verified against Android CTS
Signed-off-by: Benedict Wong <benedictwong@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

parent 1f8b6df6

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit c803e916
· Jul 02, 2023

mentioned in commit c803e916

mentioned in commit c803e91600bef2626744734f7ba7d617e1dc19f7

Toggle commit list
mirror @mirror
mentioned in commit 94e81817
· Jul 02, 2023

mentioned in commit 94e81817

mentioned in commit 94e81817f080311029bb563959ab2e34b3afaa10

Toggle commit list

Please register or to comment