diff mbox series

[ipsec-next,v10,3/3] xfrm: Add dir validation to "in" data path lookup

Message ID d5e2ad71471e2895b19cb60c9a989228cd9a5d96.1712828282.git.antony.antony@secunet.com (mailing list archive)
State Awaiting Upstream
Delegated to: Netdev Maintainers
Headers show
Series [ipsec-next,v10,1/3] xfrm: Add Direction to the SA in or out | expand

Checks

Context Check Description
netdev/series_format warning Series does not have a cover letter; Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 5023 this patch: 5023
netdev/build_tools success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers warning 5 maintainers not CCed: noureddine@arista.com heng.guo@windriver.com dsahern@kernel.org 0x7f454c46@gmail.com fruggeri@arista.com
netdev/build_clang success Errors and warnings before: 1066 this patch: 1066
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 5299 this patch: 5299
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 50 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest fail net-next-2024-04-11--12-00 (tests: 960)

Commit Message

Antony Antony April 11, 2024, 9:42 a.m. UTC 
grep -vw 0 /proc/net/xfrm_stat
XfrmInDirError          	3

Signed-off-by: Antony Antony <antony.antony@secunet.com>
---
 include/uapi/linux/snmp.h |  1 +
 net/ipv6/xfrm6_input.c    |  7 +++++++
 net/xfrm/xfrm_input.c     | 11 +++++++++++
 net/xfrm/xfrm_proc.c      |  1 +
 4 files changed, 20 insertions(+)

Comments

Nicolas Dichtel April 12, 2024, 1:54 p.m. UTC | #1 
Le 11/04/2024 à 11:42, Antony Antony a écrit :
> grep -vw 0 /proc/net/xfrm_stat
> XfrmInDirError          	3
> 
> Signed-off-by: Antony Antony <antony.antony@secunet.com>
> ---
>  include/uapi/linux/snmp.h |  1 +
>  net/ipv6/xfrm6_input.c    |  7 +++++++
>  net/xfrm/xfrm_input.c     | 11 +++++++++++
>  net/xfrm/xfrm_proc.c      |  1 +
>  4 files changed, 20 insertions(+)
> 
> diff --git a/include/uapi/linux/snmp.h b/include/uapi/linux/snmp.h
> index 00e179c382c0..da5714e9a311 100644
> --- a/include/uapi/linux/snmp.h
> +++ b/include/uapi/linux/snmp.h
> @@ -338,6 +338,7 @@ enum
>  	LINUX_MIB_XFRMOUTSTATEINVALID,		/* XfrmOutStateInvalid */
>  	LINUX_MIB_XFRMACQUIREERROR,		/* XfrmAcquireError */
>  	LINUX_MIB_XFRMOUTDIRERROR,		/* XfrmOutDirError */
> +	LINUX_MIB_XFRMINDIRERROR,		/* XfrmInDirError */
Same here:
LINUX_MIB_XFRMINSTATEDIRERROR / XfrmInStateDirError
Antony Antony April 15, 2024, 7:54 p.m. UTC | #2 
On Fri, Apr 12, 2024 at 03:54:51PM +0200, Nicolas Dichtel via Devel wrote:
> Le 11/04/2024 à 11:42, Antony Antony a écrit :
> > grep -vw 0 /proc/net/xfrm_stat
> > XfrmInDirError          	3
> > 
> > Signed-off-by: Antony Antony <antony.antony@secunet.com>
> > ---
> >  include/uapi/linux/snmp.h |  1 +
> >  net/ipv6/xfrm6_input.c    |  7 +++++++
> >  net/xfrm/xfrm_input.c     | 11 +++++++++++
> >  net/xfrm/xfrm_proc.c      |  1 +
> >  4 files changed, 20 insertions(+)
> > 
> > diff --git a/include/uapi/linux/snmp.h b/include/uapi/linux/snmp.h
> > index 00e179c382c0..da5714e9a311 100644
> > --- a/include/uapi/linux/snmp.h
> > +++ b/include/uapi/linux/snmp.h
> > @@ -338,6 +338,7 @@ enum
> >  	LINUX_MIB_XFRMOUTSTATEINVALID,		/* XfrmOutStateInvalid */
> >  	LINUX_MIB_XFRMACQUIREERROR,		/* XfrmAcquireError */
> >  	LINUX_MIB_XFRMOUTDIRERROR,		/* XfrmOutDirError */
> > +	LINUX_MIB_XFRMINDIRERROR,		/* XfrmInDirError */
> Same here:
> LINUX_MIB_XFRMINSTATEDIRERROR / XfrmInStateDirError

yes thanks.
diff mbox series

Patch

diff --git a/include/uapi/linux/snmp.h b/include/uapi/linux/snmp.h
index 00e179c382c0..da5714e9a311 100644
--- a/include/uapi/linux/snmp.h
+++ b/include/uapi/linux/snmp.h
@@ -338,6 +338,7 @@  enum
 	LINUX_MIB_XFRMOUTSTATEINVALID,		/* XfrmOutStateInvalid */
 	LINUX_MIB_XFRMACQUIREERROR,		/* XfrmAcquireError */
 	LINUX_MIB_XFRMOUTDIRERROR,		/* XfrmOutDirError */
+	LINUX_MIB_XFRMINDIRERROR,		/* XfrmInDirError */
 	__LINUX_MIB_XFRMMAX
 };
 
diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c
index a17d783dc7c0..6faf74d2ea11 100644
--- a/net/ipv6/xfrm6_input.c
+++ b/net/ipv6/xfrm6_input.c
@@ -279,6 +279,13 @@  int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
 		if (!x)
 			continue;
 
+		if (unlikely(x->dir && x->dir != XFRM_SA_DIR_IN)) {
+			XFRM_INC_STATS(net, LINUX_MIB_XFRMINDIRERROR);
+			xfrm_state_put(x);
+			x = NULL;
+			continue;
+		}
+
 		spin_lock(&x->lock);
 
 		if ((!i || (x->props.flags & XFRM_STATE_WILDRECV)) &&
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 161f535c8b94..0b2f71e7296a 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -466,6 +466,11 @@  int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 	if (encap_type < 0 || (xo && xo->flags & XFRM_GRO)) {
 		x = xfrm_input_state(skb);
 
+		if (unlikely(x->dir && x->dir != XFRM_SA_DIR_IN)) {
+			XFRM_INC_STATS(net, LINUX_MIB_XFRMINDIRERROR);
+			goto drop;
+		}
+
 		if (unlikely(x->km.state != XFRM_STATE_VALID)) {
 			if (x->km.state == XFRM_STATE_ACQ)
 				XFRM_INC_STATS(net, LINUX_MIB_XFRMACQUIREERROR);
@@ -571,6 +576,12 @@  int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 			goto drop;
 		}
 
+		if (unlikely(x->dir && x->dir != XFRM_SA_DIR_IN)) {
+			XFRM_INC_STATS(net, LINUX_MIB_XFRMINDIRERROR);
+			xfrm_state_put(x);
+			goto drop;
+		}
+
 		skb->mark = xfrm_smark_get(skb->mark, x);
 
 		sp->xvec[sp->len++] = x;
diff --git a/net/xfrm/xfrm_proc.c b/net/xfrm/xfrm_proc.c
index aa993bdd29ed..b559d87fc6e2 100644
--- a/net/xfrm/xfrm_proc.c
+++ b/net/xfrm/xfrm_proc.c
@@ -42,6 +42,7 @@  static const struct snmp_mib xfrm_mib_list[] = {
 	SNMP_MIB_ITEM("XfrmOutStateInvalid", LINUX_MIB_XFRMOUTSTATEINVALID),
 	SNMP_MIB_ITEM("XfrmAcquireError", LINUX_MIB_XFRMACQUIREERROR),
 	SNMP_MIB_ITEM("XfrmOutDirError", LINUX_MIB_XFRMOUTDIRERROR),
+	SNMP_MIB_ITEM("XfrmInDirError", LINUX_MIB_XFRMINDIRERROR),
 	SNMP_MIB_SENTINEL
 };