Message ID | 20220806044307.4007851-2-benedictwong@google.com (mailing list archive) |
---|---|
State | RFC |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | xfrm: Fix bugs in supporting stacked XFRM-I tunnels | expand |
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index 144238a50f3d..b24df8a44585 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c @@ -585,6 +585,13 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) goto drop; } + // If nested tunnel, check outer states before context is lost. + if (x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL + && sp->len > 0 + && !xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family)) { + goto drop; + } + skb->mark = xfrm_smark_get(skb->mark, x); sp->xvec[sp->len++] = x;
This change ensures that all nested XFRM packets have their policy checked before decryption of the next layer, so that policies are verified at each intermediate step of the decryption process. This is necessary especially for nested tunnels, as the IP addresses, protocol and ports may all change, thus not matching the previous policies. In order to ensure that packets match the relevant inbound templates, the xfrm_policy_check should be done before handing off to the inner XFRM protocol to decrypt and decapsulate. Test: Tested against Android Kernel Unit Tests Signed-off-by: Benedict Wong <benedictwong@google.com> Change-Id: I20c5abf39512d7f6cf438c0921a78a84e281b4e9 --- net/xfrm/xfrm_input.c | 7 +++++++ 1 file changed, 7 insertions(+)