Commit 274837fb authored by Herbert Xu's avatar Herbert Xu Committed by David S. Miller

[XFRM]: Make {__,}xfrm_policy_check behave identically wrt. empty policy lists.

Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent f47d2349
...@@ -893,6 +893,16 @@ _decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family) ...@@ -893,6 +893,16 @@ _decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family)
return 0; return 0;
} }
static inline int secpath_has_tunnel(struct sec_path *sp, int k)
{
for (; k < sp->len; k++) {
if (sp->x[k].xvec->props.mode)
return 1;
}
return 0;
}
int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
unsigned short family) unsigned short family)
{ {
...@@ -930,7 +940,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, ...@@ -930,7 +940,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
xfrm_policy_lookup); xfrm_policy_lookup);
if (!pol) if (!pol)
return !skb->sp; return !skb->sp || !secpath_has_tunnel(skb->sp, 0);
pol->curlft.use_time = (unsigned long)xtime.tv_sec; pol->curlft.use_time = (unsigned long)xtime.tv_sec;
...@@ -954,10 +964,8 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, ...@@ -954,10 +964,8 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
goto reject; goto reject;
} }
for (; k < sp->len; k++) { if (secpath_has_tunnel(sp, k))
if (sp->x[k].xvec->props.mode) goto reject;
goto reject;
}
xfrm_pol_put(pol); xfrm_pol_put(pol);
return 1; return 1;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment