On Sat, Jun 28, 2003 at 04:26:21PM +1000, herbert wrote:
>
> The only problem is that the check as it is doesn't work for anything
> apart from the last tunnel SA and transport SAs after it. But that is
> easily fixed up.
Here is the patch which fixes the SA selector verification.
Cheers,
--
Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ )
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Index: kernel-source-2.5/net/xfrm/xfrm_policy.c
===================================================================
RCS file: /home/gondolin/herbert/src/CVS/debian/kernel-source-2.5/net/xfrm/xfrm_policy.c,v
retrieving revision 1.9
diff -u -r1.9 xfrm_policy.c
--- kernel-source-2.5/net/xfrm/xfrm_policy.c 20 Jun 2003 11:49:08 -0000 1.9
+++ kernel-source-2.5/net/xfrm/xfrm_policy.c 28 Jun 2003 07:32:41 -0000
@@ -866,19 +866,30 @@
/* First, check used SA against their selectors. */
if (skb->sp) {
+ struct flowi xfl;
int i;
+ memcpy(&xfl, &fl, sizeof(xfl));
for (i=skb->sp->len-1; i>=0; i--) {
- struct sec_decap_state *xvec = &(skb->sp->x[i]);
- if (!xfrm_selector_match(&xvec->xvec->sel, &fl, family))
+ struct sec_decap_state *xvec = &(skb->sp->x[i]);
+ struct xfrm_state *x = xvec->xvec;
+ xfrm_address_t *saddr, *daddr;
+
+ if (!xfrm_selector_match(&x->sel, &xfl, family))
return 0;
/* If there is a post_input processor, try running it */
- if (xvec->xvec->type->post_input &&
- (xvec->xvec->type->post_input)(xvec->xvec,
- &(xvec->decap),
- skb) != 0)
+ if (x->type->post_input &&
+ (x->type->post_input)(x, &(xvec->decap), skb) != 0)
return 0;
+
+ memset(&xfl, 0, sizeof(xfl));
+ xfl.fl_ipsec_spi = x->id.spi;
+ xfl.proto = x->id.proto;
+ saddr = xfrm_flowi_saddr(&xfl, x->props.family);
+ daddr = xfrm_flowi_daddr(&xfl, x->props.family);
+ memcpy(daddr, &x->id.daddr, sizeof(*daddr));
+ memcpy(saddr, &x->props.saddr, sizeof(*saddr));
}
}
