Checking SPI in xfrm_state

netdev

Checking SPI in xfrm_state_find

To:	Patrick McHardy <kaber@xxxxxxxxx>
Subject:	Checking SPI in xfrm_state_find
From:	Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Date:	Tue, 29 Mar 2005 09:39:17 +1000
Cc:	"David S. Miller" <davem@xxxxxxxxxxxxx>, Alexey Kuznetsov <kuznet@xxxxxxxxxxxxx>, James Morris <jmorris@xxxxxxxxxx>, YOSHIFUJI Hideaki <yoshfuji@xxxxxxxxxxxxxx>, netdev@xxxxxxxxxxx
In-reply-to:	<424864CE.5060802@xxxxxxxxx>
References:	<20050214221006.GA18415@xxxxxxxxxxxxxxxxxxx> <20050214221200.GA18465@xxxxxxxxxxxxxxxxxxx> <20050214221433.GB18465@xxxxxxxxxxxxxxxxxxx> <20050214221607.GC18465@xxxxxxxxxxxxxxxxxxx> <424864CE.5060802@xxxxxxxxx>
Sender:	netdev-bounce@xxxxxxxxxxx
User-agent:	Mutt/1.5.6+20040907i

On Mon, Mar 28, 2005 at 10:10:54PM +0200, Patrick McHardy wrote:
> 
> Something unrelated I was also wondering about, from xfrm_find_state():
> 
>         list_for_each_entry(x, xfrm_state_bydst+h, bydst) {
>                 if (x->props.family == family &&
>                     x->props.reqid == tmpl->reqid &&
>                     xfrm_state_addr_check(x, daddr, saddr, family) &&
>                     tmpl->mode == x->props.mode &&
>                     tmpl->id.proto == x->id.proto) {
> 
> Shouldn't we check for (tmpl->id.spi == x->id.spi || !tmpl->id.spi) ?

Absolutely.  We should also fix the larval state generation in that
same function to fail the operation if that SPI already exists.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
*Re: [15/] [INET] Fix IPsec calculation in ip_append_data/ip6_append_data*, (continued)* *Re: [15/] [INET] Fix IPsec calculation in ip_append_data/ip6_append_data*, Mika Penttilä* *Re: [15/] [INET] Fix IPsec calculation in ip_append_data/ip6_append_data*, Herbert Xu* *Re: [13/] [IPV4] Fix room calculation in icmp_send*, David S. Miller* *Re: [12/] [IPSEC] Handle local_df in IPv4*, David S. Miller* *Re: [12/] [IPSEC] Handle local_df in IPv4*, YOSHIFUJI Hideaki / 吉藤英明* *Re: [12/] [IPSEC] Handle local_df in IPv4*, YOSHIFUJI Hideaki / 吉藤英明* Re: [4/4] [IPSEC] Store MTU at each xfrm_dst, Patrick McHardy [IPSEC] Move xfrm_flush_bundles into xfrm_state GC, Herbert Xu Re: [IPSEC] Move xfrm_flush_bundles into xfrm_state GC, Patrick McHardy Re: [IPSEC] Move xfrm_flush_bundles into xfrm_state GC, David S. Miller Checking SPI in xfrm_state_find, Herbert Xu <= Re: Checking SPI in xfrm_state_find, Patrick McHardy Re: Checking SPI in xfrm_state_find, Herbert Xu Re: Checking SPI in xfrm_state_find, David S. Miller

Previous by Date:	[PATCH: 2.6.12-rc1] mv643xx: ethernet driver updates, Dale Farnsworth
Next by Date:	mv643xx(1/20): Add mv643xx_enet support for PPC Pegasos platform, Dale Farnsworth
Previous by Thread:	Re: [IPSEC] Move xfrm_flush_bundles into xfrm_state GC, David S. Miller
Next by Thread:	Re: Checking SPI in xfrm_state_find, Patrick McHardy
Indexes:	[Date] [Thread] [Top] [All Lists]