iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Benedict Wong 887975834d Fix XFRM-I support for nested ESP tunnels 
[ Upstream commit b0355dbbf13c0052931dd14c38c789efed64d3de ]

This change adds support for nested IPsec tunnels by ensuring that
XFRM-I verifies existing policies before decapsulating a subsequent
policies. Addtionally, this clears the secpath entries after policies
are verified, ensuring that previous tunnels with no-longer-valid
do not pollute subsequent policy checks.

This is necessary especially for nested tunnels, as the IP addresses,
protocol and ports may all change, thus not matching the previous
policies. In order to ensure that packets match the relevant inbound
templates, the xfrm_policy_check should be done before handing off to
the inner XFRM protocol to decrypt and decapsulate.

Notably, raw ESP/AH packets did not perform policy checks inherently,
whereas all other encapsulated packets (UDP, TCP encapsulated) do policy
checks after calling xfrm_input handling in the respective encapsulation
layer.

Test: Verified with additional Android Kernel Unit tests
Signed-off-by: Benedict Wong <benedictwong@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-03-03 11:44:50 +01:00
..
6lowpan
6lowpan: iphc: Fix an off-by-one check of array index
2021-09-15 09:50:34 +02:00
9p
9p/xen: check logical size for buffer size
2022-12-14 11:31:54 +01:00
802
mrp: introduce active flags to prevent UAF when applicant uninit
2023-01-14 10:16:18 +01:00
8021q
net: make free_netdev() more lenient with unregistering devices
2022-07-29 17:19:07 +02:00
appletalk
appletalk: Fix skb allocation size in loopback case
2021-04-07 15:00:08 +02:00
atm
net/atm: fix proc_mpc_write incorrect return value
2022-10-30 09:41:16 +01:00
ax25
net: ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg
2022-06-22 14:13:17 +02:00
batman-adv
batman-adv: Don't skb_split skbuffs with frag_list
2022-05-18 10:23:42 +02:00
bluetooth
Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt
2023-02-06 07:56:16 +01:00
bpf
bpf: Move skb->len == 0 checks into __bpf_redirect
2023-01-14 10:15:31 +01:00
bpfilter
bpfilter: Specify the log level for the kmsg message
2021-07-14 16:56:29 +02:00
bridge
netfilter: br_netfilter: disable sabotage_in hook after first suppression
2023-02-15 17:22:12 +01:00
caif
caif: fix memory leak in cfctrl_linkup_request()
2023-01-14 10:16:48 +01:00
can
can: j1939: do not wait 250 ms if the same addr was already claimed
2023-02-15 17:22:23 +01:00
ceph
libceph: fix potential use-after-free on linger ping and resends
2022-05-25 09:17:56 +02:00
core
net: Fix unwanted sign extension in netdev_stats_to_stats64()
2023-02-22 12:55:56 +01:00
dcb
net: dcb: disable softirqs in dcbnl_flush_dev()
2022-03-08 19:09:37 +01:00
dccp
dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions.
2023-02-22 12:55:57 +01:00
decnet
net: Fix data-races around sysctl_[rw]mem(_offset)?.
2022-08-31 17:15:19 +02:00
dns_resolver
dsa
net: dsa: ksz: Check return value
2022-12-14 11:32:01 +01:00
ethernet
ethtool
net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats
2023-01-24 07:19:55 +01:00
hsr
hsr: Synchronize sequence number updates.
2023-01-14 10:15:37 +01:00
ieee802154
net: ieee802154: fix error return code in dgram_bind()
2022-11-03 23:57:51 +09:00
ife
ipv4
bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener
2023-02-15 17:22:10 +01:00
ipv6
ipv6: Fix tcp socket connection with DSCP.
2023-02-22 12:55:58 +01:00
iucv
net/af_iucv: remove WARN_ONCE on malformed RX packets
2021-03-07 12:34:05 +01:00
kcm
kcm: close race conditions on sk_receive_queue
2022-11-25 17:45:56 +01:00
key
af_key: Fix send_acquire race with pfkey_register
2022-12-02 17:39:58 +01:00
l2tp
l2tp: prevent lockdep issue in l2tp_tunnel_register()
2023-02-01 08:23:14 +01:00
l3mdev
l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu
2022-04-27 13:53:50 +02:00
lapb
net: lapb: Copy the skb before sending a packet
2021-02-10 09:29:14 +01:00
llc
llc: only change llc->dev when bind() succeeds
2022-03-28 09:57:10 +02:00
mac80211
mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh
2023-02-25 11:55:03 +01:00
mac802154
mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()
2022-12-14 11:32:01 +01:00
mpls
net: mpls: fix stale pointer if allocation fails during device rename
2023-02-22 12:55:58 +01:00
mptcp
mptcp: use proper req destructor for IPv6
2023-01-14 10:16:52 +01:00
ncsi
net/ncsi: check for error return from call to nla_put_u32
2022-01-05 12:40:32 +01:00
netfilter
netfilter: nft_tproxy: restrict to prerouting hook
2023-02-22 12:55:55 +01:00
netlabel
netlabel: fix out-of-bounds memory accesses
2022-04-13 21:01:00 +02:00
netlink
netlink: annotate data races around sk_state
2023-02-01 08:23:24 +01:00
netrom
netrom: Fix use-after-free caused by accept on already connected socket
2023-02-15 17:22:12 +01:00
nfc
net: nfc: Fix use-after-free in local_cleanup()
2023-02-01 08:23:12 +01:00
nsh
openvswitch
net: openvswitch: fix possible memory leak in ovs_meter_cmd_set()
2023-02-22 12:55:57 +01:00
packet
net/af_packet: make sure to pull mac header
2023-01-14 10:16:29 +01:00
phonet
phonet: refcount leak in pep_sock_accep
2022-01-11 15:25:01 +01:00
psample
net: psample: Fix netlink skb length with tunnel info
2021-03-07 12:34:07 +01:00
qrtr
net: qrtr: free memory on error path in radix_tree_insert()
2023-02-15 17:22:16 +01:00
rds
rds: rds_rm_zerocopy_callback() use list_first_entry()
2023-02-15 17:22:25 +01:00
rfkill
rose
net/rose: Fix to not accept on connected socket
2023-02-22 12:55:53 +01:00
rxrpc
rxrpc: Fix missing unlock in rxrpc_do_sendmsg()
2023-01-14 10:16:12 +01:00
sched
Revert "net/sched: taprio: make qdisc_leaf() see the per-netdev-queue pfifo child qdiscs"
2023-02-25 11:55:04 +01:00
sctp
sctp: sctp_sock_filter(): avoid list_entry() on possibly empty list
2023-02-22 12:55:57 +01:00
smc
net/smc: Stop the CLC flow if no link to map buffers on
2022-09-28 11:10:36 +02:00
strparser
bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding
2021-11-18 14:04:27 +01:00
sunrpc
SUNRPC: ensure the matching upcall is in-flight upon downcall
2023-01-14 10:16:44 +01:00
switchdev
net: switchdev: don't set port_obj_info->handled true when -EOPNOTSUPP
2021-02-07 15:37:12 +01:00
tipc
tipc: fix unexpected link reset due to discovery messages
2023-01-18 11:44:58 +01:00
tls
net/tls: Remove the context from the list in tls_device_down
2022-08-03 12:00:46 +02:00
unix
af_unix: Get user_ns from in_skb in unix_diag_get_exact().
2022-12-14 11:32:01 +01:00
vmw_vsock
net: vmw_vsock: vmci: Check memcpy_from_msg()
2023-01-14 10:15:42 +01:00
wimax
wireless
wifi: cfg80211: Fix not unregister reg_pdev when load_builtin_regdb_keys() fails
2023-01-14 10:15:36 +01:00
x25
net/x25: Fix to not accept on connected socket
2023-02-15 17:22:15 +01:00
xdp
xsk: Inherit need_wakeup flag for shared sockets
2022-10-15 07:55:51 +02:00
xfrm
Fix XFRM-I support for nested ESP tunnels
2023-03-03 11:44:50 +01:00
compat.c
net: Return the correct errno code
2021-06-18 10:00:06 +02:00
devres.c
Kconfig
Makefile
socket.c
net: remove cmsg restriction from io_uring based send/recvmsg calls
2023-01-04 11:39:24 +01:00
sysctl_net.c