matthias
/
iproute2
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

ip/xfrm: Extend SPI validity checking 

A Security Policy Index (SPI) is not used with Mobile IPv6. IPComp
uses a smaller 16-bit Compression Parameter Index (CPI) which is
passed as the SPI value. Perform checks whenever specifying an ID.

Signed-off-by: David Ward <david.ward@ll.mit.edu>
This commit is contained in:
David Ward 2013-03-25 04:23:13 +00:00 committed by Stephen Hemminger
parent 9c064b5332
commit 1d26e1fefd
2 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
ip/ipxfrm.c
View File

@ -1067,6 +1067,18 @@ int xfrm_id_parse(xfrm_address_t *saddr, struct xfrm_id *id, __u16 *family,
if (src.family && dst.family && (src.family != dst.family))
invarg("the same address family is required between \"src\" and \"dst\"", *argv);
if (id->spi && id->proto) {
if (xfrm_xfrmproto_is_ro(id->proto)) {
fprintf(stderr, "\"spi\" is invalid with XFRM-PROTO value \"%s\"\n",
strxf_xfrmproto(id->proto));
exit(1);
} else if (id->proto == IPPROTO_COMP && ntohl(id->spi) >= 0x10000) {
fprintf(stderr, "SPI value is too large with XFRM-PROTO value \"%s\"\n",
strxf_xfrmproto(id->proto));
exit(1);
}
}
if (loose == 0 && id->proto == 0)
missarg("XFRM-PROTO");
if (argc == *argcp)

5
ip/xfrm_state.c
View File

@ -502,11 +502,6 @@ static int xfrm_state_modify(int cmd, unsigned flags, int argc, char **argv)
strxf_xfrmproto(req.xsinfo.id.proto));
exit(1);
}
if (req.xsinfo.id.spi != 0) {
fprintf(stderr, "\"spi\" must be 0 with proto=%s\n",
strxf_xfrmproto(req.xsinfo.id.proto));
exit(1);
}
break;
default:
break;