Commit 601a0867 authored by Antony Antony's avatar Antony Antony Committed by Steffen Klassert
Browse files

xfrm: Add dir validation to "out" data path lookup 



Introduces validation for the x->dir attribute within the XFRM output
data lookup path. If the configured direction does not match the expected
direction, output, increment the XfrmOutStateDirError counter and drop
the packet to ensure data integrity and correct flow handling.

grep -vw 0 /proc/net/xfrm_stat
XfrmOutPolError         	1
XfrmOutStateDirError    	1

Signed-off-by: default avatarAntony Antony <antony.antony@secunet.com>
Reviewed-by: default avatarSabrina Dubroca <sd@queasysnail.net>
Reviewed-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
parent a4a87fa4

Documentation/networking/xfrm_proc.rst

+3 −0
Original line number Diff line number Diff line
@@ -111,3 +111,6 @@ XfrmOutPolError: 


XfrmOutStateInvalid:

	State is invalid, perhaps expired



XfrmOutStateDirError:

        State direction mismatch (lookup found an input state on the output path, expected output or no direction)

include/uapi/linux/snmp.h

+1 −0
Original line number Diff line number Diff line
@@ -337,6 +337,7 @@ enum 
	LINUX_MIB_XFRMFWDHDRERROR,		/* XfrmFwdHdrError*/

	LINUX_MIB_XFRMOUTSTATEINVALID,		/* XfrmOutStateInvalid */

	LINUX_MIB_XFRMACQUIREERROR,		/* XfrmAcquireError */

	LINUX_MIB_XFRMOUTSTATEDIRERROR,		/* XfrmOutStateDirError */

	__LINUX_MIB_XFRMMAX

};

net/xfrm/xfrm_policy.c

+6 −0
Original line number Diff line number Diff line
@@ -2489,6 +2489,12 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl, 


		x = xfrm_state_find(remote, local, fl, tmpl, policy, &error,

				    family, policy->if_id);

		if (x && x->dir && x->dir != XFRM_SA_DIR_OUT) {

			XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEDIRERROR);

			xfrm_state_put(x);

			error = -EINVAL;

			goto fail;

		}



		if (x && x->km.state == XFRM_STATE_VALID) {

			xfrm[nx++] = x;

net/xfrm/xfrm_proc.c

+1 −0
Original line number Diff line number Diff line
@@ -41,6 +41,7 @@ static const struct snmp_mib xfrm_mib_list[] = { 
	SNMP_MIB_ITEM("XfrmFwdHdrError", LINUX_MIB_XFRMFWDHDRERROR),

	SNMP_MIB_ITEM("XfrmOutStateInvalid", LINUX_MIB_XFRMOUTSTATEINVALID),

	SNMP_MIB_ITEM("XfrmAcquireError", LINUX_MIB_XFRMACQUIREERROR),

	SNMP_MIB_ITEM("XfrmOutStateDirError", LINUX_MIB_XFRMOUTSTATEDIRERROR),

	SNMP_MIB_SENTINEL

};