Re: [PATCH ipsec v5] xfrm: replay: Fix ESN wrap around for GSO
From: Herbert Xu <herbert@gondor.apana.org.au>
Date: 2022-09-30 05:55:01
Also in:
lkml
On Fri, Sep 30, 2022 at 07:40:24AM +0200, Christian Langrock wrote: .
quoted hunk ↗ jump to hunk
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c index 9a5e79a38c67..c470a68d9c88 100644 --- a/net/xfrm/xfrm_output.c +++ b/net/xfrm/xfrm_output.c@@ -738,7 +738,7 @@ int xfrm_output(struct sock *sk, struct sk_buff *skb) skb->encapsulation = 1; if (skb_is_gso(skb)) { - if (skb->inner_protocol) + if (skb->inner_protocol || xfrm_replay_overflow_check(x, skb)) return xfrm_output_gso(net, sk, skb);
The xfrm_state is unlocked at this point. So how can you safely check against a shared state from xfrm_state? Cheers, -- Email: Herbert Xu [off-list ref] Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt