tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

[IPSEC]: Reject packets within replay window but outside the bit mask

Up until this point we've accepted replay window settings greater than
32 but our bit mask can only accomodate 32 packets. Thus any packet
with a sequence number within the window but outside the bit mask would
be accepted.

This patch causes those packets to be rejected instead.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Herbert Xu and committed by
David S. Miller 4c4d51a7 60e5c166

+2 -1
+2 -1
net/xfrm/xfrm_state.c
··· 1371 1371 return 0; 1372 1372 1373 1373 diff = x->replay.seq - seq; 1374 - if (diff >= x->props.replay_window) { 1374 + if (diff >= min_t(unsigned int, x->props.replay_window, 1375 + sizeof(x->replay.bitmap) * 8)) { 1375 1376 x->stats.replay_window++; 1376 1377 return -EINVAL; 1377 1378 }