diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2007-04-13 21:32:53 +0200 |
---|---|---|
committer | Adrian Bunk <bunk@stusta.de> | 2007-04-13 22:58:27 +0200 |
commit | ef846bc01da49cf63d289e97139bef5181e75229 (patch) | |
tree | 0ec4d20b4d2705ac0d8a1e52566748f93d7e8cfb /net/xfrm | |
parent | 19a0662baeb7f783d345ebdfe3048b834582b294 (diff) |
[IPSEC]: Reject packets within replay window but outside the bit mask
Up until this point we've accepted replay window settings greater than
32 but our bit mask can only accomodate 32 packets. Thus any packet
with a sequence number within the window but outside the bit mask would
be accepted.
This patch causes those packets to be rejected instead.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Diffstat (limited to 'net/xfrm')
-rw-r--r-- | net/xfrm/xfrm_state.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index 4318aa0f8b8..11a969014fc 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -776,7 +776,8 @@ int xfrm_replay_check(struct xfrm_state *x, u32 seq) return 0; diff = x->replay.seq - seq; - if (diff >= x->props.replay_window) { + if (diff >= min_t(unsigned int, x->props.replay_window, + sizeof(x->replay.bitmap) * 8)) { x->stats.replay_window++; return -EINVAL; } |