original_kernel/net
Masahide NAKAMURA e53820de0f [XFRM] IPV6: Restrict bundle reusing
For outbound transformation, bundle is checked whether it is
suitable for current flow to be reused or not. In such IPv6 case
as below, transformation may apply incorrect bundle for the flow instead
of creating another bundle:

- The policy selector has destination prefix length < 128
  (Two or more addresses can be matched it)
- Its bundle holds dst entry of default route whose prefix length < 128
  (Previous traffic was used such route as next hop)
- The policy and the bundle were used a transport mode state and
  this time flow address is not matched the bundled state.

This issue is found by Mobile IPv6 usage to protect mobility signaling
by IPsec, but it is not a Mobile IPv6 specific.
This patch adds strict check to xfrm_bundle_ok() for each
state mode and address when prefix length is less than 128.

Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org>
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-22 15:06:44 -07:00
..
802
8021q
appletalk
atm [NET]: Remove unnecessary config.h includes from net/ 2006-09-22 14:54:21 -07:00
ax25
bluetooth
bridge [BRIDGE]: Convert notifications to use rtnl_notify() 2006-09-22 14:54:59 -07:00
core [RTNETLINK]: Don't return error on no-metrics. 2006-09-22 14:55:40 -07:00
dccp [IPV6]: Cache source address as well in ipv6_pinfo{}. 2006-09-22 14:55:45 -07:00
decnet [DECNET]: Convert DECnet notifications to use rtnl_notify() 2006-09-22 14:54:52 -07:00
econet
ethernet [ETH]: indentation and cleanup 2006-09-22 14:55:09 -07:00
ieee80211 [CRYPTO] users: Use crypto_hash interface instead of crypto_digest 2006-09-21 11:46:21 +10:00
ipv4 [XFRM] IPV6: Restrict bundle reusing 2006-09-22 15:06:44 -07:00
ipv6 [XFRM] IPV6: Restrict bundle reusing 2006-09-22 15:06:44 -07:00
ipx [IPX]: Fix typo, ipxhdr() --> ipx_hdr() 2006-08-09 17:36:15 -07:00
irda
key [XFRM]: Add XFRM_MODE_xxx for future use. 2006-09-22 15:05:15 -07:00
lapb [LAPB]: Fix windowsize check 2006-08-05 21:15:58 -07:00
llc [LLC]: multicast receive device match 2006-08-13 18:56:26 -07:00
netfilter [NETFILTER]: x_tables: Fix typos after conversion to use mass registation helper 2006-09-22 14:55:40 -07:00
netlabel [NETLINK]: Add notification message sending interface 2006-09-22 14:54:49 -07:00
netlink [NETLINK]: Add notification message sending interface 2006-09-22 14:54:49 -07:00
netrom
packet [NET]: Replace CHECKSUM_HW by CHECKSUM_PARTIAL/CHECKSUM_COMPLETE 2006-09-22 14:53:53 -07:00
rose
rxrpc
sched [NETFILTER]: x_tables: remove unused size argument to check/destroy functions 2006-09-22 14:55:34 -07:00
sctp [SCTP]: Remove multiple levels of msecs to jiffies conversions. 2006-09-22 14:55:39 -07:00
sunrpc [SUNRPC]: Remove the unnecessary check for highmem in xs_sendpages(). 2006-09-22 14:54:16 -07:00
tipc
unix [AF_UNIX]: Kernel memory leak fix for af_unix datagram getpeersec patch 2006-08-02 14:12:06 -07:00
wanrouter
x25
xfrm [XFRM] IPV6: Restrict bundle reusing 2006-09-22 15:06:44 -07:00
Kconfig [NET]: Protocol Independant Policy Routing Rules Framework 2006-09-22 14:53:40 -07:00
Makefile [NetLabel]: core NetLabel subsystem 2006-09-22 14:53:34 -07:00
TUNABLE
compat.c
nonet.c
socket.c [NET]: Kill double initialization in sock_alloc_inode. 2006-09-22 14:54:22 -07:00
sysctl_net.c