Received: by 2002:a17:90a:2044:0:0:0:0 with SMTP id n62csp530423pjc;
        Mon, 20 May 2019 11:19:49 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzyYonbVwChVwCbiSKZfJN4ygzDqq9tl/OvwbpheywIh4G189Vv0XL7hYm1CGoKVwRECkM8
X-Received: by 2002:a17:902:860c:: with SMTP id f12mr78845213plo.127.1558376389035;
        Mon, 20 May 2019 11:19:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1558376389; cv=none;
        d=google.com; s=arc-20160816;
        b=s2KPfWFbt9ctru0tyDve1hOBgTpgP7rigtR8M8JH2BFT+VHe3UqqifoYzubof9D+M1
         HaeQfeuKBNkK0IIURiDe07ASDq3ve8rySeqXXuHrtGc6+YRqTYDgndKNE0TPkkFwxftf
         ObLI73/Epu99Kj8dyXnyTKI9HCGDAVr2AOzkXxdJWQaIxeK+6ZXodQE0qDxnbFcgAgwI
         sdAyi8hibwc9YSsb+dblabV89rK02x8cb54QTu9lwyNdJV1CuZnqcM4ovzYJ35u9qjDu
         8IGHxqFuyfGS6xvABiGA89vW1gdMAqlsb32N658h/QbfkoNJbvv32j16JIuIamLdtmhE
         QrGA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=OXzVLW5EpqxY+BN5u1Vsu4+duiB4QcdQ8sWM4u2JA90=;
        b=YFYvpgBwPuwh5EjUiUZ5BMwG98tCTC//TJirC/cSRSz9YuxSHIDoS1aHHAcKgS4WKz
         Gzp23qT08sUgcOTp+DjEl+Fkch6aEHjCVYSBdpggPEynqUqCg41B+hZGfDso6Eu8+hwk
         9Og7nz6haitexsYPQ7o9BPX88WSvgG+QEWkM3i7wsr9zSlokJoNVkSt/IacUPquej4pt
         nrL3KyAPe66H7z/XGpS919PuqSzXruu2uQZFKU80sryJJW974vevKVHmJA2YJVrVO2b8
         IuflfHygnp22AeH0qXAGNk9jtOr23vC4zZN/CC8z2kYAbFbbo9DuS+fmYChoJB3nkW4v
         beUw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Gwww3aaU;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h1si13076588pgs.290.2019.05.20.11.19.33;
        Mon, 20 May 2019 11:19:49 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Gwww3aaU;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2392717AbfETRFi (ORCPT <rfc822;hackukernel@gmail.com>
        + 99 others); Mon, 20 May 2019 13:05:38 -0400
Received: from mail-ed1-f68.google.com ([209.85.208.68]:41759 "EHLO
        mail-ed1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2390006AbfETRFi (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 20 May 2019 13:05:38 -0400
Received: by mail-ed1-f68.google.com with SMTP id m4so24908908edd.8;
        Mon, 20 May 2019 10:05:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=OXzVLW5EpqxY+BN5u1Vsu4+duiB4QcdQ8sWM4u2JA90=;
        b=Gwww3aaU7y7zOHYkwmwbAcjKvlfAz1HeiKD4eRIU+qd+YGOBBI56iOegMUzaDNtS5/
         tPdvuZ3Z+U/Io2cAZF/KT1/OhZRlGWqAePyYuoxibxy28XmvUa0kxOgh6T7RgglrPGjG
         ZOKjTrS7GzJ1yAFQpgUYCNziSE6qCu4+dCczcnc1f4vXlrCz3tDiJHEuCa6rIN/99t2I
         2Pq2mxvREq1171PWoBo8NTGIKLqwoZ3Lt1isLRShBUuSm1ly6sTpJ4yizWr0I6UQ6qTO
         J2PEj3xurmc1ZCYOa9ndBgma1FoXnWlh222pMhCthpz+2QI8/Ih09tLUTXyodLk3h/vF
         hmxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=OXzVLW5EpqxY+BN5u1Vsu4+duiB4QcdQ8sWM4u2JA90=;
        b=YlvnNKFUM0nntVAKwUzpk1j8ANkdMn1/Lpx2t0skSJk/sMxDKfa0+fEzxmAEC1vQi5
         ofuiQJapCuaCNG1KGaHtIb/haCBFzel0UC6cJ3H38VEutmIXyJlVQME+qJFrv3+4y87v
         yflTHPYsS9rrPZqJWajCSUIa8RvGKe2uywsLeiYiZyq1xRD973gZr90wxluO89LxG2fd
         9T/ceLM7YebJjoVC3tXniLkqIY93Zx2Ln3RFmm2JU5/vAg7j2RSrBL6Xo3nuSNG22RSO
         Kbk/m2uGZgPhHujDJTxtvVCqF8tN2g2aX8v9XkPmiNCQGXE24uAVy4vJ8DscZEk6s6ad
         9wmQ==
X-Gm-Message-State: APjAAAWLGLdsWW+eKUwTqsVgxCDioulOB9fMAysGdme2QS4Ce+pm1KuP
        3XyzkQRIxYxxOy4b+W6gZayVWQveITjDzZrPdOo=
X-Received: by 2002:a50:9968:: with SMTP id l37mr76248294edb.143.1558371936408;
 Mon, 20 May 2019 10:05:36 -0700 (PDT)
MIME-Version: 1.0
References: <20190520093157.59825-1-anirudh.gupta@sophos.com> <20190520153219.oq3se5wvkasgbtkp@gondor.apana.org.au>
In-Reply-To: <20190520153219.oq3se5wvkasgbtkp@gondor.apana.org.au>
From:   Anirudh Gupta <anirudhrudr@gmail.com>
Date:   Mon, 20 May 2019 22:35:24 +0530
Message-ID: <CAN2cbVc3bbEcDB87S4UpySnMtC7oi40bWPK8bd4wW_nv5qEDJg@mail.gmail.com>
Subject: Re: [PATCH net] xfrm: Fix xfrm sel prefix length validation
To:     Herbert Xu <herbert@gondor.apana.org.au>
Cc:     Steffen Klassert <steffen.klassert@secunet.com>,
        Anirudh Gupta <anirudh.gupta@sophos.com>,
        "David S. Miller" <davem@davemloft.net>, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Herbert,
Yes, I notice that is the only verification of p->family from userspace.
However, the underlying conditions added in commit '07bf7908950a',
validates the selector src/dest prefix len.

So, In case when adding a new SA entry, the family of Selector src/dst
is IPv6 and state id src/dst family is IPv4.
Then, the IPv6 selector prefix verification falls in IPv4 switch case.
This results in not being able to provide prefix length of more than
32, even for IPv6 src/dst.

The above mentioned behaviour can easily be reproduced using below
command having IPv6 selector src/dst with greater than 32 prefix
length.
ip xfrm state add src 1.1.6.1 dst 1.1.6.2 proto esp spi 4260196 \
reqid 20004 mode tunnel aead "rfc4106(gcm(aes))" \
0x1111016400000000000000000000000044440001 128 \
sel src 1011:1:4::2/128 sel dst 1021:1:4::2/128 dev Port5

Please let me know, if I fail to explain my point or I am overlooking anything.

Thanks & Regards,
Anirudh


On Mon, May 20, 2019 at 9:02 PM Herbert Xu <herbert@gondor.apana.org.au> wrote:
>
> On Mon, May 20, 2019 at 03:01:56PM +0530, Anirudh Gupta wrote:
> >
> > diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
> > index eb8d14389601..fc2a8c08091b 100644
> > --- a/net/xfrm/xfrm_user.c
> > +++ b/net/xfrm/xfrm_user.c
> > @@ -149,7 +149,7 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
> >       int err;
> >
> >       err = -EINVAL;
> > -     switch (p->family) {
> > +     switch (p->sel.family) {
> >       case AF_INET:
> >               if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
> >                       goto out;
>
> You just removed the only verification of p->family...
> --
> Email: Herbert Xu <herbert@gondor.apana.org.au>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt



-- 
Regards

Anirudh Gupta