summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHerbert Xu <herbert@gondor.apana.org.au>2007-04-10 13:37:24 -0700
committerGreg Kroah-Hartman <gregkh@suse.de>2007-04-13 13:47:05 -0700
commitc823d26e9a668566fa92f7486b2380191497ba7a (patch)
treea7030731b7b05a9cefb046b9b88cbee77d1bcc4d
parent12da1b6a092a13c2cf4903fd0d39c139d511ef96 (diff)
Fix IPSEC replay window handling
[IPSEC]: Reject packets within replay window but outside the bit mask Up until this point we've accepted replay window settings greater than 32 but our bit mask can only accomodate 32 packets. Thus any packet with a sequence number within the window but outside the bit mask would be accepted. This patch causes those packets to be rejected instead. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--net/xfrm/xfrm_state.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index f0f2c1a07372..7cd0f3c811f4 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -1220,7 +1220,8 @@ int xfrm_replay_check(struct xfrm_state *x, __be32 net_seq)
return 0;
diff = x->replay.seq - seq;
- if (diff >= x->props.replay_window) {
+ if (diff >= min_t(unsigned int, x->props.replay_window,
+ sizeof(x->replay.bitmap) * 8)) {
x->stats.replay_window++;
return -EINVAL;
}