Commit fadd1a63 authored Jul 29, 2020 by Sabrina Dubroca Committed by Steffen Klassert Jul 30, 2020

espintcp: handle short messages instead of breaking the encap socket



Currently, short messages (less than 4 bytes after the length header)
will break the stream of messages. This is unnecessary, since we can
still parse messages even if they're too short to contain any usable
data. This is also bogus, as keepalive messages (a single 0xff byte),
though not needed with TCP encapsulation, should be allowed.

This patch changes the stream parser so that short messages are
accepted and dropped in the kernel. Messages that contain a valid SPI
or non-ESP header are processed as before.

Fixes: e27cca96 ("xfrm: add espintcp (RFC 8229)")
Reported-by: Andrew Cagney <cagney@libreswan.org>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

parent d5dba137

net/xfrm/espintcp.c

+24 −1

Original line number	Diff line number	Diff line
		@@ -49,9 +49,32 @@ static void espintcp_rcv(struct strparser strp, struct sk_buff skb)
		struct espintcp_ctx *ctx = container_of(strp, struct espintcp_ctx,
		strp);
		struct strp_msg *rxm = strp_msg(skb);
		int len = rxm->full_len - 2;
		u32 nonesp_marker;
		int err;

		/* keepalive packet? */
		if (unlikely(len == 1)) {
		u8 data;

		err = skb_copy_bits(skb, rxm->offset + 2, &data, 1);
		if (err < 0) {
		kfree_skb(skb);
		return;
		}

		if (data == 0xff) {
		kfree_skb(skb);
		return;
		}
		}

		/* drop other short messages */
		if (unlikely(len <= sizeof(nonesp_marker))) {
		kfree_skb(skb);
		return;
		}

		err = skb_copy_bits(skb, rxm->offset + 2, &nonesp_marker,
		sizeof(nonesp_marker));
		if (err < 0) {
		@@ -91,7 +114,7 @@ static int espintcp_parse(struct strparser strp, struct sk_buff skb)
		return err;

		len = be16_to_cpu(blen);
		if (len < 6)
		if (len < 2)
		return -EINVAL;

		return len;

Admin message