linux/net/ipv4
Masahide NAKAMURA e53820de0f [XFRM] IPV6: Restrict bundle reusing
For outbound transformation, bundle is checked whether it is
suitable for current flow to be reused or not. In such IPv6 case
as below, transformation may apply incorrect bundle for the flow instead
of creating another bundle:

- The policy selector has destination prefix length < 128
  (Two or more addresses can be matched it)
- Its bundle holds dst entry of default route whose prefix length < 128
  (Previous traffic was used such route as next hop)
- The policy and the bundle were used a transport mode state and
  this time flow address is not matched the bundled state.

This issue is found by Mobile IPv6 usage to protect mobility signaling
by IPsec, but it is not a Mobile IPv6 specific.
This patch adds strict check to xfrm_bundle_ok() for each
state mode and address when prefix length is less than 128.

Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org>
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-22 15:06:44 -07:00
..
ipvs [NET]: Replace CHECKSUM_HW by CHECKSUM_PARTIAL/CHECKSUM_COMPLETE 2006-09-22 14:53:53 -07:00
netfilter [NETFILTER]: x_tables: remove unused size argument to check/destroy functions 2006-09-22 14:55:34 -07:00
af_inet.c [NET/IPV4/IPV6]: Change some sysctl variables to __read_mostly 2006-09-22 14:55:03 -07:00
ah4.c [XFRM]: Add XFRM_MODE_xxx for future use. 2006-09-22 15:05:15 -07:00
arp.c [NET]: Conversions from kmalloc+memset to k(z|c)alloc. 2006-07-21 14:51:30 -07:00
cipso_ipv4.c [NET]: Make code static. 2006-09-22 14:54:07 -07:00
datagram.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
devinet.c [IPv4] address: Convert address notification to use rtnl_notify() 2006-09-22 14:54:53 -07:00
esp4.c [XFRM]: Add XFRM_MODE_xxx for future use. 2006-09-22 15:05:15 -07:00
fib_frontend.c [IPv4]: Convert route get to new netlink api 2006-09-22 14:55:06 -07:00
fib_hash.c [IPv4]: Convert FIB dumping to use new netlink api 2006-09-22 14:55:05 -07:00
fib_lookup.h [IPv4]: Convert FIB dumping to use new netlink api 2006-09-22 14:55:05 -07:00
fib_rules.c [IPV4]: Increase number of possible routing tables to 2^32 2006-09-22 14:54:26 -07:00
fib_semantics.c [IPv4]: Convert FIB dumping to use new netlink api 2006-09-22 14:55:05 -07:00
fib_trie.c [IPv4]: Convert FIB dumping to use new netlink api 2006-09-22 14:55:05 -07:00
icmp.c [NET/IPV4/IPV6]: Change some sysctl variables to __read_mostly 2006-09-22 14:55:03 -07:00
igmp.c [NET/IPV4/IPV6]: Change some sysctl variables to __read_mostly 2006-09-22 14:55:03 -07:00
inet_connection_sock.c [MLSXFRM]: Auto-labeling of child sockets 2006-09-22 14:53:29 -07:00
inet_diag.c [NET]: Conversions from kmalloc+memset to k(z|c)alloc. 2006-07-21 14:51:30 -07:00
inet_hashtables.c [IPV4]: Use network-order dport for all visible inet_lookup_* 2006-09-22 14:54:14 -07:00
inet_timewait_sock.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
inetpeer.c [IPV4] inetpeer: Get rid of volatile from peer_total 2006-07-10 14:50:30 -07:00
ip_forward.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
ip_fragment.c [NET/IPV4/IPV6]: Change some sysctl variables to __read_mostly 2006-09-22 14:55:03 -07:00
ip_gre.c [NET]: Replace CHECKSUM_HW by CHECKSUM_PARTIAL/CHECKSUM_COMPLETE 2006-09-22 14:53:53 -07:00
ip_input.c [IPV4]: Clear the whole IPCB, this clears also IPCB(skb)->flags. 2006-07-24 23:45:16 -07:00
ip_options.c [INET]: Remove is_setbyuser patch 2006-09-22 14:54:10 -07:00
ip_output.c [NET/IPV4/IPV6]: Change some sysctl variables to __read_mostly 2006-09-22 14:55:03 -07:00
ip_sockglue.c [AF_UNIX]: Kernel memory leak fix for af_unix datagram getpeersec patch 2006-08-02 14:12:06 -07:00
ipcomp.c [XFRM]: Add XFRM_MODE_xxx for future use. 2006-09-22 15:05:15 -07:00
ipconfig.c [NET]: Remove unnecessary config.h includes from net/ 2006-09-22 14:54:21 -07:00
ipip.c [IPV4]: Get rid of redundant IPCB->opts initialisation 2006-07-21 14:29:53 -07:00
ipmr.c [RTNETLINK]: Use rtnl_unicast() for rtnetlink unicasts 2006-09-22 14:54:48 -07:00
Kconfig [IPV4]: Use Protocol Independant Policy Routing Rules Framework 2006-09-22 14:53:42 -07:00
Makefile [NetLabel]: CIPSOv4 engine 2006-09-22 14:53:33 -07:00
multipath_drr.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
multipath_random.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
multipath_rr.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
multipath_wrandom.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
multipath.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
netfilter.c [NET]: Replace CHECKSUM_HW by CHECKSUM_PARTIAL/CHECKSUM_COMPLETE 2006-09-22 14:53:53 -07:00
proc.c [IPV4]: add the UdpSndbufErrors and UdpRcvbufErrors MIBs 2006-09-22 14:54:41 -07:00
protocol.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
raw.c [NET]: Remove unnecessary config.h includes from net/ 2006-09-22 14:54:21 -07:00
route.c [IPv4]: Convert route get to new netlink api 2006-09-22 14:55:06 -07:00
syncookies.c [MLSXFRM]: Auto-labeling of child sockets 2006-09-22 14:53:29 -07:00
sysctl_net_ipv4.c [NetLabel]: CIPSOv4 engine 2006-09-22 14:53:33 -07:00
tcp_bic.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
tcp_cong.c [TCP]: Two RFC3465 Appropriate Byte Count fixes. 2006-08-29 21:22:16 -07:00
tcp_cubic.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
tcp_diag.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
tcp_highspeed.c [TCP] tcp_highspeed: Fix AI updates. 2006-07-12 13:58:50 -07:00
tcp_htcp.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
tcp_hybla.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
tcp_input.c [NET/IPV4/IPV6]: Change some sysctl variables to __read_mostly 2006-09-22 14:55:03 -07:00
tcp_ipv4.c [NET/IPV4/IPV6]: Change some sysctl variables to __read_mostly 2006-09-22 14:55:03 -07:00
tcp_lp.c [NET]: Remove unnecessary config.h includes from net/ 2006-09-22 14:54:21 -07:00
tcp_minisocks.c [NET/IPV4/IPV6]: Change some sysctl variables to __read_mostly 2006-09-22 14:55:03 -07:00
tcp_output.c [NET/IPV4/IPV6]: Change some sysctl variables to __read_mostly 2006-09-22 14:55:03 -07:00
tcp_probe.c [TCP]: Fix botched memory leak fix to tcpprobe_read(). 2006-08-13 18:05:09 -07:00
tcp_scalable.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
tcp_timer.c [NET/IPV4/IPV6]: Change some sysctl variables to __read_mostly 2006-09-22 14:55:03 -07:00
tcp_vegas.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
tcp_veno.c [NET]: Remove unnecessary config.h includes from net/ 2006-09-22 14:54:21 -07:00
tcp_westwood.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
tcp.c [NET/IPV4/IPV6]: Change some sysctl variables to __read_mostly 2006-09-22 14:55:03 -07:00
tunnel4.c [INET]: Move no-tunnel ICMP error to tunnel4/tunnel6 2006-04-09 22:25:25 -07:00
udp.c [IPV4]: add the UdpSndbufErrors and UdpRcvbufErrors MIBs 2006-09-22 14:54:41 -07:00
xfrm4_input.c [XFRM]: Add XFRM_MODE_xxx for future use. 2006-09-22 15:05:15 -07:00
xfrm4_mode_transport.c [IPSEC] proto: Move transport mode input path into xfrm_mode_transport 2006-06-17 21:28:41 -07:00
xfrm4_mode_tunnel.c [IPV4]: Get rid of redundant IPCB->opts initialisation 2006-07-21 14:29:53 -07:00
xfrm4_output.c [XFRM]: Add XFRM_MODE_xxx for future use. 2006-09-22 15:05:15 -07:00
xfrm4_policy.c [XFRM] IPV6: Restrict bundle reusing 2006-09-22 15:06:44 -07:00
xfrm4_state.c [XFRM] STATE: Search by address using source address list. 2006-09-22 15:06:35 -07:00
xfrm4_tunnel.c [XFRM]: Add XFRM_MODE_xxx for future use. 2006-09-22 15:05:15 -07:00