From patchwork Thu Apr 11 09:42:30 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Antony Antony <antony.antony@secunet.com>
X-Patchwork-Id: 13625665
X-Patchwork-Delegate: kuba@kernel.org
Received: from a.mx.secunet.com (a.mx.secunet.com [62.96.220.36])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B02861448E3
	for <netdev@vger.kernel.org>; Thu, 11 Apr 2024 09:42:41 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=62.96.220.36
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1712828563; cv=none;
 b=n8Klz688QvDHB3oGPKCHRHEWrF1/HJOzCt33SOBhHPqS7jIQsx/ttzRnALxtA6qN8ZrXtWnyqlZl83lOWCAQ/1HCv6nxKUNDIVdRubb1lYXs7hvjas5/qBFUPcrzZvuq66wAnOeYhk1BsAZ43DKW+0sdz20I7b5ioBfOgD7a7j0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1712828563; c=relaxed/simple;
	bh=bASJmivXTCv21Ue+EU/lBDmZP0ksKNIv4nxAEElJQ6w=;
	h=Date:From:To:CC:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To;
 b=oOn8pR7ayxpF33yOFhHtSyzjqsOEDrYIH5NUhFfcuej9AHmlupcaoUeMrVHcjUX6OkEZ6EjtMwChjxiA3Fnbyoqah2pHtnWYKkFQJrPraw/hLayGQB70+GNOBFn99GyUFkWSmSkWnO0LOUxpD7X27x3P8kF9n6ENFTqMhI2Z2+M=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=secunet.com;
 spf=pass smtp.mailfrom=secunet.com;
 dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com
 header.b=FmxfMZT+; arc=none smtp.client-ip=62.96.220.36
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=secunet.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=secunet.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com
 header.b="FmxfMZT+"
Received: from localhost (localhost [127.0.0.1])
	by a.mx.secunet.com (Postfix) with ESMTP id 057CC20844;
	Thu, 11 Apr 2024 11:42:40 +0200 (CEST)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1])
	by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id l-iKMq8lv99M; Thu, 11 Apr 2024 11:42:39 +0200 (CEST)
Received: from mailout2.secunet.com (mailout2.secunet.com [62.96.220.49])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by a.mx.secunet.com (Postfix) with ESMTPS id 6B73B20839;
	Thu, 11 Apr 2024 11:42:39 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 a.mx.secunet.com 6B73B20839
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secunet.com;
	s=202301; t=1712828559;
	bh=PnNOSFVDf2c0HCQMt64eY18q1GVFRV4OUeLQELxFgXk=;
	h=Date:From:To:CC:Subject:Reply-To:References:In-Reply-To:From;
	b=FmxfMZT+XKrgx61GfUXV8eD/T8zoxBtXm0bs8YR0HzyCBJTgkwUPoTIQrbGPvaeBG
	 wHp3IasQT/GVjl8Ka/X4PXv6tXti+cWtWQT5x9QlHGz5ZInwE7+PQatlsUSYdrwCJT
	 sXbN2eRWHprpeFF9HdMeNbOeJvB84nsDWz3+qbQaQGJQyKUWo1DPqrrpRsyKgoMIMN
	 tGqSzY7k+jxEztDu6jrVPYBqmehTXATKgmERGMUwZglQGfpjkWGYe3P69c8PPGxUtx
	 +CiTuIqRpms37mXYAQu3mGR34yTv8JjD7PgliOANXTY9wmo065CGZN5knl5AbLG41Y
	 znJmbw5UzCsOg==
Received: from cas-essen-01.secunet.de (unknown [10.53.40.201])
	by mailout2.secunet.com (Postfix) with ESMTP id 5ED8D80004A;
	Thu, 11 Apr 2024 11:42:39 +0200 (CEST)
Received: from mbx-essen-01.secunet.de (10.53.40.197) by
 cas-essen-01.secunet.de (10.53.40.201) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.35; Thu, 11 Apr 2024 11:42:39 +0200
Received: from moon.secunet.de (172.18.149.1) by mbx-essen-01.secunet.de
 (10.53.40.197) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.37; Thu, 11 Apr
 2024 11:42:38 +0200
Date: Thu, 11 Apr 2024 11:42:30 +0200
From: Antony Antony <antony.antony@secunet.com>
To: Steffen Klassert <steffen.klassert@secunet.com>, Herbert Xu
	<herbert@gondor.apana.org.au>, <netdev@vger.kernel.org>
CC: "David S. Miller" <davem@davemloft.net>, Eric Dumazet
	<edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni
	<pabeni@redhat.com>, <devel@linux-ipsec.org>, Leon Romanovsky
	<leon@kernel.org>, Eyal Birger <eyal.birger@gmail.com>, Nicolas Dichtel
	<nicolas.dichtel@6wind.com>, Sabrina Dubroca <sd@queasysnail.net>
Subject: [PATCH ipsec-next v10 3/3] xfrm: Add dir validation to "in" data
 path lookup
Message-ID: 
 <d5e2ad71471e2895b19cb60c9a989228cd9a5d96.1712828282.git.antony.antony@secunet.com>
Reply-To: <antony.antony@secunet.com>
References: 
 <0e0d997e634261fcdf16cf9f07c97d97af7370b6.1712828282.git.antony.antony@secunet.com>
Precedence: bulk
X-Mailing-List: netdev@vger.kernel.org
List-Id: <netdev.vger.kernel.org>
List-Subscribe: <mailto:netdev+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:netdev+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: 
 <0e0d997e634261fcdf16cf9f07c97d97af7370b6.1712828282.git.antony.antony@secunet.com>
Precedence: first-class
Priority: normal
Organization: secunet
X-ClientProxiedBy: cas-essen-01.secunet.de (10.53.40.201) To
 mbx-essen-01.secunet.de (10.53.40.197)
X-Patchwork-Delegate: kuba@kernel.org

grep -vw 0 /proc/net/xfrm_stat
XfrmInDirError          	3

Signed-off-by: Antony Antony <antony.antony@secunet.com>
---
 include/uapi/linux/snmp.h |  1 +
 net/ipv6/xfrm6_input.c    |  7 +++++++
 net/xfrm/xfrm_input.c     | 11 +++++++++++
 net/xfrm/xfrm_proc.c      |  1 +
 4 files changed, 20 insertions(+)

diff --git a/include/uapi/linux/snmp.h b/include/uapi/linux/snmp.h
index 00e179c382c0..da5714e9a311 100644
--- a/include/uapi/linux/snmp.h
+++ b/include/uapi/linux/snmp.h
@@ -338,6 +338,7 @@ enum
 	LINUX_MIB_XFRMOUTSTATEINVALID,		/* XfrmOutStateInvalid */
 	LINUX_MIB_XFRMACQUIREERROR,		/* XfrmAcquireError */
 	LINUX_MIB_XFRMOUTDIRERROR,		/* XfrmOutDirError */
+	LINUX_MIB_XFRMINDIRERROR,		/* XfrmInDirError */
 	__LINUX_MIB_XFRMMAX
 };
 
diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c
index a17d783dc7c0..6faf74d2ea11 100644
--- a/net/ipv6/xfrm6_input.c
+++ b/net/ipv6/xfrm6_input.c
@@ -279,6 +279,13 @@ int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
 		if (!x)
 			continue;
 
+		if (unlikely(x->dir && x->dir != XFRM_SA_DIR_IN)) {
+			XFRM_INC_STATS(net, LINUX_MIB_XFRMINDIRERROR);
+			xfrm_state_put(x);
+			x = NULL;
+			continue;
+		}
+
 		spin_lock(&x->lock);
 
 		if ((!i || (x->props.flags & XFRM_STATE_WILDRECV)) &&
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 161f535c8b94..0b2f71e7296a 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -466,6 +466,11 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 	if (encap_type < 0 || (xo && xo->flags & XFRM_GRO)) {
 		x = xfrm_input_state(skb);
 
+		if (unlikely(x->dir && x->dir != XFRM_SA_DIR_IN)) {
+			XFRM_INC_STATS(net, LINUX_MIB_XFRMINDIRERROR);
+			goto drop;
+		}
+
 		if (unlikely(x->km.state != XFRM_STATE_VALID)) {
 			if (x->km.state == XFRM_STATE_ACQ)
 				XFRM_INC_STATS(net, LINUX_MIB_XFRMACQUIREERROR);
@@ -571,6 +576,12 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 			goto drop;
 		}
 
+		if (unlikely(x->dir && x->dir != XFRM_SA_DIR_IN)) {
+			XFRM_INC_STATS(net, LINUX_MIB_XFRMINDIRERROR);
+			xfrm_state_put(x);
+			goto drop;
+		}
+
 		skb->mark = xfrm_smark_get(skb->mark, x);
 
 		sp->xvec[sp->len++] = x;
diff --git a/net/xfrm/xfrm_proc.c b/net/xfrm/xfrm_proc.c
index aa993bdd29ed..b559d87fc6e2 100644
--- a/net/xfrm/xfrm_proc.c
+++ b/net/xfrm/xfrm_proc.c
@@ -42,6 +42,7 @@ static const struct snmp_mib xfrm_mib_list[] = {
 	SNMP_MIB_ITEM("XfrmOutStateInvalid", LINUX_MIB_XFRMOUTSTATEINVALID),
 	SNMP_MIB_ITEM("XfrmAcquireError", LINUX_MIB_XFRMACQUIREERROR),
 	SNMP_MIB_ITEM("XfrmOutDirError", LINUX_MIB_XFRMOUTDIRERROR),
+	SNMP_MIB_ITEM("XfrmInDirError", LINUX_MIB_XFRMINDIRERROR),
 	SNMP_MIB_SENTINEL
 };