[9/*] [IPSEC] Check dst validity harder in xfrm_bundle

To:	"David S. Miller" <davem@xxxxxxxxxxxxx>
Subject:	[9/*] [IPSEC] Check dst validity harder in xfrm_bundle_ok
From:	Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Date:	Mon, 7 Mar 2005 21:35:36 +1100
Cc:	kuznet@xxxxxxxxxxxxx, jmorris@xxxxxxxxxx, yoshfuji@xxxxxxxxxxxxxx, netdev@xxxxxxxxxxx
In-reply-to:	<20050306213214.7d8a143d.davem@davemloft.net>
References:	<20050214221006.GA18415@gondor.apana.org.au> <20050214221200.GA18465@gondor.apana.org.au> <20050214221433.GB18465@gondor.apana.org.au> <20050214221607.GC18465@gondor.apana.org.au> <20050306213214.7d8a143d.davem@davemloft.net>
Sender:	netdev-bounce@xxxxxxxxxxx
User-agent:	Mutt/1.5.6+20040907i

On Sun, Mar 06, 2005 at 09:32:14PM -0800, David S. Miller wrote:
> 
> Applied, but with a bug fix:
> 
> +             mtu = dst_pmtu(xdst->route);
> +             if (xdst->child_mtu_cached != mtu) {
> +                     last = xdst;
> +                     xdst->route_mtu_cached = mtu;
> +             }
> 
> You obviously meant "route_mtu_cached" in the test,
> not child_mtu_cached.

Thanks for catching this.

There is another bug in xfrm_bundle_ok where I forgot to
check the validity of xdst->route.  In fact, the check
on dst->path isn't strong enough either.  For IPv6 entries,
dst->path->obsolete is always negative until you call
ipv6_dst_check.  So we really need to do that here.

Here's the patch to fix those two problems.  Yes I know
my dst_check implementation is lame.  I'll come back and
fix up all the dst_check functions by moving their dst_release
calls out.  It proves that you were right in that IPv6 dst
leak thread :)

Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

xfrm-9
Description: Text document

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [4/4] [IPSEC] Store MTU at each xfrm_dst, David S. Miller *[9/] [IPSEC] Check dst validity harder in xfrm_bundle_ok*, Herbert Xu* <= *Re: [9/] [IPSEC] Check dst validity harder in xfrm_bundle_ok*, David S. Miller* *[11/] [NET] Move dst_release out of dst->ops->check*, Herbert Xu* *Re: [11/] [NET] Move dst_release out of dst->ops->check*, YOSHIFUJI Hideaki / 吉藤英明* *Re: [11/] [NET] Move dst_release out of dst->ops->check*, David S. Miller* *[12/] [IPSEC] Handle local_df in IPv4*, Herbert Xu* *[13/] [IPV4] Fix room calculation in icmp_send*, Herbert Xu* *[14/] [IPV6] Reload skb->dst after xfrm6_route_forward*, Herbert Xu* *Re: [14/] [IPV6] Reload skb->dst after xfrm6_route_forward*, David S. Miller* *[15/] [INET] Fix IPsec calculation in ip_append_data/ip6_append_data*, Herbert Xu* *[16/] [INET] Take IPsec overhead into account in tunnels*, Herbert Xu*

Previous by Date:	[IPSEC] Kill redundan dst_release check in xfrm_dst_destroy, Herbert Xu
Next by Date:	*Re: [6/] [IPSEC] Fix xfrm[46]_update_pmtu to update top dst*, Herbert Xu*
Previous by Thread:	Re: [4/4] [IPSEC] Store MTU at each xfrm_dst, David S. Miller
Next by Thread:	*Re: [9/] [IPSEC] Check dst validity harder in xfrm_bundle_ok*, David S. Miller*
Indexes:	[Date] [Thread] [Top] [All Lists]

[9/*] [IPSEC] Check dst validity harder in xfrm_bundle_ok