[PATCH net] drivers: net: Fix *_ipsec_offload_ok(): Use ip_hdr family

Netdev Archive on lore.kernel.org
help / color / mirror / Atom feed

From: Christian Langrock <christian.langrock@secunet.com>
To: "David S. Miller" <davem@davemloft.net>, <netdev@vger.kernel.org>,
	<jeffrey.t.kirsher@intel.com>, <kuba@kernel.org>,
	<borisp@nvidia.com>
Subject: [PATCH net] drivers: net: Fix *_ipsec_offload_ok(): Use ip_hdr family
Date: Thu, 17 Sep 2020 14:27:42 +0200	[thread overview]
Message-ID: <14366463-cf15-ceec-c3ee-17b5796ac59c@secunet.com> (raw)


[-- Attachment #1.1: Type: text/plain, Size: 3416 bytes --]

Xfrm_dev_offload_ok() is called with the unencrypted SKB. So in case of
interfamily ipsec traffic (IPv4-in-IPv6 and IPv6 in IPv4) the check
assumes the wrong family of the skb (IP family of the state).
With this patch the ip header of the SKB is used to determine the
family.

Signed-off-by: Christian Langrock <christian.langrock@secunet.com>
---
 drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c           | 2 +-
 drivers/net/ethernet/intel/ixgbevf/ipsec.c               | 2 +-
 drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
index eca73526ac86..3601dd293463 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
@@ -813,7 +813,7 @@ static void ixgbe_ipsec_del_sa(struct xfrm_state *xs)
  **/
 static bool ixgbe_ipsec_offload_ok(struct sk_buff *skb, struct
xfrm_state *xs)
 {
-       if (xs->props.family == AF_INET) {
+       if (ip_hdr(skb)->version == 4) {
                /* Offload with IPv4 options is not supported yet */
                if (ip_hdr(skb)->ihl != 5)
                        return false;
diff --git a/drivers/net/ethernet/intel/ixgbevf/ipsec.c
b/drivers/net/ethernet/intel/ixgbevf/ipsec.c
index 5170dd9d8705..b1d72d5d1744 100644
--- a/drivers/net/ethernet/intel/ixgbevf/ipsec.c
+++ b/drivers/net/ethernet/intel/ixgbevf/ipsec.c
@@ -418,7 +418,7 @@ static void ixgbevf_ipsec_del_sa(struct xfrm_state *xs)
  **/
 static bool ixgbevf_ipsec_offload_ok(struct sk_buff *skb, struct
xfrm_state *xs)
 {
-       if (xs->props.family == AF_INET) {
+       if (ip_hdr(skb)->version == 4) {
                /* Offload with IPv4 options is not supported yet */
                if (ip_hdr(skb)->ihl != 5)
                        return false;
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
index d39989cddd90..e3a9b313b01f 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
@@ -460,7 +460,7 @@ void mlx5e_ipsec_cleanup(struct mlx5e_priv *priv)
 
 static bool mlx5e_ipsec_offload_ok(struct sk_buff *skb, struct
xfrm_state *x)
 {
-       if (x->props.family == AF_INET) {
+       if (ip_hdr(skb)->version == 4) {
                /* Offload with IPv4 options is not supported yet */
                if (ip_hdr(skb)->ihl > 5)
                        return false;
-- 
2.21.0

-- 
Dipl.-Inf.(FH) Christian Langrock
Senior Consultant
Network & Client Security
Division Public Authorities
secunet Security Networks AG 


Phone: +49 201 5454-3833 
E-Mail: christian.langrock@secunet.com

Ammonstraße 74 
01067 Dresden, Germany
www.secunet.com

______________________________________________________________________

Registered at: Kurfuerstenstrasse 58, 45138 Essen, Germany 
Amtsgericht Essen HRB 13615
Management Board: Dr Rainer Baumgart (CEO), Thomas Pleines 
Chairman of Supervisory Board: Ralf Wintergerst
______________________________________________________________________


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

next             reply	other threads:[~2020-09-17 12:38 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-17 12:27 Christian Langrock [this message]
2020-09-21  6:22 ` [PATCH net] drivers: net: Fix *_ipsec_offload_ok(): Use ip_hdr family Christian Langrock

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=14366463-cf15-ceec-c3ee-17b5796ac59c@secunet.com \
    --to=christian.langrock@secunet.com \
    --cc=borisp@nvidia.com \
    --cc=davem@davemloft.net \
    --cc=jeffrey.t.kirsher@intel.com \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).