Netdev Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH net] drivers: net: Fix *_ipsec_offload_ok(): Use ip_hdr family
@ 2020-09-17 12:27 Christian Langrock
2020-09-21 6:22 ` Christian Langrock
0 siblings, 1 reply; 2+ messages in thread
From: Christian Langrock @ 2020-09-17 12:27 UTC (permalink / raw)
To: David S. Miller, netdev, jeffrey.t.kirsher, kuba, borisp
[-- Attachment #1.1: Type: text/plain, Size: 3416 bytes --]
Xfrm_dev_offload_ok() is called with the unencrypted SKB. So in case of
interfamily ipsec traffic (IPv4-in-IPv6 and IPv6 in IPv4) the check
assumes the wrong family of the skb (IP family of the state).
With this patch the ip header of the SKB is used to determine the
family.
Signed-off-by: Christian Langrock <christian.langrock@secunet.com>
---
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 2 +-
drivers/net/ethernet/intel/ixgbevf/ipsec.c | 2 +-
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
index eca73526ac86..3601dd293463 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
@@ -813,7 +813,7 @@ static void ixgbe_ipsec_del_sa(struct xfrm_state *xs)
**/
static bool ixgbe_ipsec_offload_ok(struct sk_buff *skb, struct
xfrm_state *xs)
{
- if (xs->props.family == AF_INET) {
+ if (ip_hdr(skb)->version == 4) {
/* Offload with IPv4 options is not supported yet */
if (ip_hdr(skb)->ihl != 5)
return false;
diff --git a/drivers/net/ethernet/intel/ixgbevf/ipsec.c
b/drivers/net/ethernet/intel/ixgbevf/ipsec.c
index 5170dd9d8705..b1d72d5d1744 100644
--- a/drivers/net/ethernet/intel/ixgbevf/ipsec.c
+++ b/drivers/net/ethernet/intel/ixgbevf/ipsec.c
@@ -418,7 +418,7 @@ static void ixgbevf_ipsec_del_sa(struct xfrm_state *xs)
**/
static bool ixgbevf_ipsec_offload_ok(struct sk_buff *skb, struct
xfrm_state *xs)
{
- if (xs->props.family == AF_INET) {
+ if (ip_hdr(skb)->version == 4) {
/* Offload with IPv4 options is not supported yet */
if (ip_hdr(skb)->ihl != 5)
return false;
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
index d39989cddd90..e3a9b313b01f 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
@@ -460,7 +460,7 @@ void mlx5e_ipsec_cleanup(struct mlx5e_priv *priv)
static bool mlx5e_ipsec_offload_ok(struct sk_buff *skb, struct
xfrm_state *x)
{
- if (x->props.family == AF_INET) {
+ if (ip_hdr(skb)->version == 4) {
/* Offload with IPv4 options is not supported yet */
if (ip_hdr(skb)->ihl > 5)
return false;
--
2.21.0
--
Dipl.-Inf.(FH) Christian Langrock
Senior Consultant
Network & Client Security
Division Public Authorities
secunet Security Networks AG
Phone: +49 201 5454-3833
E-Mail: christian.langrock@secunet.com
Ammonstraße 74
01067 Dresden, Germany
www.secunet.com
______________________________________________________________________
Registered at: Kurfuerstenstrasse 58, 45138 Essen, Germany
Amtsgericht Essen HRB 13615
Management Board: Dr Rainer Baumgart (CEO), Thomas Pleines
Chairman of Supervisory Board: Ralf Wintergerst
______________________________________________________________________
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 473 bytes --]
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH net] drivers: net: Fix *_ipsec_offload_ok(): Use ip_hdr family
2020-09-17 12:27 [PATCH net] drivers: net: Fix *_ipsec_offload_ok(): Use ip_hdr family Christian Langrock
@ 2020-09-21 6:22 ` Christian Langrock
0 siblings, 0 replies; 2+ messages in thread
From: Christian Langrock @ 2020-09-21 6:22 UTC (permalink / raw)
To: David S. Miller, netdev, jeffrey.t.kirsher, kuba, borisp
[-- Attachment #1.1: Type: text/plain, Size: 3752 bytes --]
Hello David,
I saw the status of my patched has been changed to "Changes requested".
Can you tell me what can I do to get the patch accepted?
Thank you in advance!
BR,
Christian
Am 17.09.20 um 14:27 schrieb Christian Langrock:
> Xfrm_dev_offload_ok() is called with the unencrypted SKB. So in case of
> interfamily ipsec traffic (IPv4-in-IPv6 and IPv6 in IPv4) the check
> assumes the wrong family of the skb (IP family of the state).
> With this patch the ip header of the SKB is used to determine the
> family.
>
> Signed-off-by: Christian Langrock <christian.langrock@secunet.com>
> ---
> drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 2 +-
> drivers/net/ethernet/intel/ixgbevf/ipsec.c | 2 +-
> drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 2 +-
> 3 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
> b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
> index eca73526ac86..3601dd293463 100644
> --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
> +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
> @@ -813,7 +813,7 @@ static void ixgbe_ipsec_del_sa(struct xfrm_state *xs)
> **/
> static bool ixgbe_ipsec_offload_ok(struct sk_buff *skb, struct
> xfrm_state *xs)
> {
> - if (xs->props.family == AF_INET) {
> + if (ip_hdr(skb)->version == 4) {
> /* Offload with IPv4 options is not supported yet */
> if (ip_hdr(skb)->ihl != 5)
> return false;
> diff --git a/drivers/net/ethernet/intel/ixgbevf/ipsec.c
> b/drivers/net/ethernet/intel/ixgbevf/ipsec.c
> index 5170dd9d8705..b1d72d5d1744 100644
> --- a/drivers/net/ethernet/intel/ixgbevf/ipsec.c
> +++ b/drivers/net/ethernet/intel/ixgbevf/ipsec.c
> @@ -418,7 +418,7 @@ static void ixgbevf_ipsec_del_sa(struct xfrm_state *xs)
> **/
> static bool ixgbevf_ipsec_offload_ok(struct sk_buff *skb, struct
> xfrm_state *xs)
> {
> - if (xs->props.family == AF_INET) {
> + if (ip_hdr(skb)->version == 4) {
> /* Offload with IPv4 options is not supported yet */
> if (ip_hdr(skb)->ihl != 5)
> return false;
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
> b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
> index d39989cddd90..e3a9b313b01f 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
> @@ -460,7 +460,7 @@ void mlx5e_ipsec_cleanup(struct mlx5e_priv *priv)
>
> static bool mlx5e_ipsec_offload_ok(struct sk_buff *skb, struct
> xfrm_state *x)
> {
> - if (x->props.family == AF_INET) {
> + if (ip_hdr(skb)->version == 4) {
> /* Offload with IPv4 options is not supported yet */
> if (ip_hdr(skb)->ihl > 5)
> return false;
--
Dipl.-Inf.(FH) Christian Langrock
Senior Consultant
Network & Client Security
Division Public Authorities
secunet Security Networks AG
Phone: +49 201 5454-3833
E-Mail: christian.langrock@secunet.com
Ammonstraße 74
01067 Dresden, Germany
www.secunet.com
______________________________________________________________________
Registered at: Kurfuerstenstrasse 58, 45138 Essen, Germany
Amtsgericht Essen HRB 13615
Management Board: Dr Rainer Baumgart (CEO), Thomas Pleines
Chairman of Supervisory Board: Ralf Wintergerst
______________________________________________________________________
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 473 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-09-21 6:22 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-17 12:27 [PATCH net] drivers: net: Fix *_ipsec_offload_ok(): Use ip_hdr family Christian Langrock
2020-09-21 6:22 ` Christian Langrock
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).