[IPSEC]: Missing ipv6 policy checks.

c81baf47 · Tom Lendacky · Linus Torvalds · 0946befc · c81baf47 · c81baf47
Commit c81baf47 authored Mar 28, 2003 by Tom Lendacky Committed by Linus Torvalds Mar 28, 2003
9 changed files
--- a/include/net/protocol.h
+++ b/include/net/protocol.h
@@ -50,6 +50,7 @@ struct inet6_protocol
 			       struct inet6_skb_parm *opt,
 			       int type, int code, int offset,
 			       __u32 info);
+	int	no_policy;
 };
 #endif

--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@@ -330,6 +330,7 @@ static struct xfrm_type ah6_type =
 static struct inet6_protocol ah6_protocol = {
 	.handler	=	xfrm6_rcv,
 	.err_handler	=	ah6_err,
+	.no_policy	=	1,
 };
 int __init ah6_init(void)

--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -499,6 +499,7 @@ static struct xfrm_type esp6_type =
 static struct inet6_protocol esp6_protocol = {
 	.handler 	=	xfrm6_rcv,
 	.err_handler	=	esp6_err,
+	.no_policy	=	1,
 };
 int __init esp6_init(void)

--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -43,6 +43,7 @@
 #include <net/ndisc.h>
 #include <net/ip6_route.h>
 #include <net/addrconf.h>
+#include <net/xfrm.h>
@@ -149,7 +150,14 @@ static inline int ip6_input_finish(struct sk_buff *skb)
 	hash = nexthdr & (MAX_INET_PROTOS - 1);
 	if ((ipprot = inet6_protos[hash]) != NULL) {
-		int ret = ipprot->handler(&skb);
+		int ret;
+		if (!ipprot->no_policy &&
+		    !xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
+			kfree_skb(skb);
+			return 0;
+		}
+		ret = ipprot->handler(&skb);
 		if (ret < 0) {
 			nexthdr = -ret;
 			goto resubmit;
@@ -157,9 +165,11 @@ static inline int ip6_input_finish(struct sk_buff *skb)
 		IP6_INC_STATS_BH(Ip6InDelivers);
 	} else {
 		if (!raw_sk) {
-			IP6_INC_STATS_BH(Ip6InUnknownProtos);
+			if (xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
-			icmpv6_param_prob(skb, ICMPV6_UNK_NEXTHDR,
+				IP6_INC_STATS_BH(Ip6InUnknownProtos);
-					  offsetof(struct ipv6hdr, nexthdr));
+				icmpv6_param_prob(skb, ICMPV6_UNK_NEXTHDR,
+						  offsetof(struct ipv6hdr, nexthdr));
+			}
 		} else {
 			IP6_INC_STATS_BH(Ip6InDelivers);
 			kfree_skb(skb);

--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -50,6 +50,7 @@
 #include <net/addrconf.h>
 #include <net/rawv6.h>
 #include <net/icmp.h>
+#include <net/xfrm.h>
 static __inline__ void ipv6_select_ident(struct sk_buff *skb, struct frag_hdr *fhdr)
 {
@@ -747,6 +748,9 @@ int ip6_forward(struct sk_buff *skb)
 	if (ipv6_devconf.forwarding == 0)
 		goto error;
+	if (!xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb))
+		goto drop;
 	skb->ip_summed = CHECKSUM_NONE;
 	/*
@@ -781,6 +785,9 @@ int ip6_forward(struct sk_buff *skb)
 		return -ETIMEDOUT;
 	}
+	if (!xfrm6_route_forward(skb))
+		goto drop;
 	/* IPv6 specs say nothing about it, but it is clear that we cannot
 	   send redirects to source routed frames.
 	 */

--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -2193,6 +2193,7 @@ struct proto tcpv6_prot = {
 static struct inet6_protocol tcpv6_protocol = {
 	.handler	=	tcp_v6_rcv,
 	.err_handler	=	tcp_v6_err,
+	.no_policy	=	1,
 };
 extern struct proto_ops inet6_stream_ops;

--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -955,6 +955,7 @@ static int udpv6_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg
 static struct inet6_protocol udpv6_protocol = {
 	.handler	=	udpv6_rcv,
 	.err_handler	=	udpv6_err,
+	.no_policy	=	1,
 };
 #define LINE_LEN 190

--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -680,6 +680,7 @@ static int sctp6_rcv(struct sk_buff **pskb)
 static struct inet6_protocol sctpv6_protocol = {
 	.handler      = sctp6_rcv,
 	.err_handler  = sctp_v6_err,
+	.no_policy    = 1,
 };
 static struct sctp_af sctp_ipv6_specific = {

--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
@@ -776,6 +776,7 @@ static struct inet_protosw sctp_stream_protosw = {
 static struct inet_protocol sctp_protocol = {
 	.handler     = sctp_rcv,
 	.err_handler = sctp_v4_err,
+	.no_policy   = 1,
 };
 /* IPv4 address related functions.  */