xfrm: policy: check reinserted policies match their node

validate the re-inserted policies match the lookup node. Policies that fail this test won't be returned in the candidate set. This is enabled by default for now, it should not cause noticeable reinsert slow down. Such reinserts are needed when we have to merge an existing node (e.g. for 10.0.0.0/28 because a overlapping subnet was added (e.g. 10.0.0.0/24), so whenever this happens existing policies have to be placed on the list of the new node. Signed-off-by: N Florian Westphal <fw@strlen.de> Acked-by: N David S. Miller <davem@davemloft.net> Signed-off-by: N Steffen Klassert <steffen.klassert@secunet.com>

xfrm: policy: check reinserted policies match their node
validate the re-inserted policies match the lookup node. Policies that fail this test won't be returned in the candidate set. This is enabled by default for now, it should not cause noticeable reinsert slow down. Such reinserts are needed when we have to merge an existing node (e.g. for 10.0.0.0/28 because a overlapping subnet was added (e.g. 10.0.0.0/24), so whenever this happens existing policies have to be placed on the list of the new node. Signed-off-by: N Florian Westphal <fw@strlen.de> Acked-by: N David S. Miller <davem@davemloft.net> Signed-off-by: N Steffen Klassert <steffen.klassert@secunet.com>
e901cbc2 · Florian Westphal · Steffen Klassert · 9cf545eb · e901cbc2
隐藏空白更改
内联并排

Showing with 32 addition and 0 deletion

net/xfrm/xfrm_policy.c net/xfrm/xfrm_policy.c +32 -0

未找到文件。
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -806,10 +806,16 @@ static void xfrm_policy_inexact_list_reinsert(struct net *net,
 					      struct xfrm_pol_inexact_node *n,
 					      u16 family)
 {
+	unsigned int matched_s, matched_d;
 	struct hlist_node *newpos = NULL;
 	struct xfrm_policy *policy, *p;

+	matched_s = 0;
+	matched_d = 0;
+
 	list_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) {
+		bool matches_s, matches_d;
+
 		if (!policy->bydst_reinsert)
 			continue;

@@ -827,6 +833,32 @@ static void xfrm_policy_inexact_list_reinsert(struct net *net,
 			hlist_add_behind(&policy->bydst, newpos);
 		else
 			hlist_add_head(&policy->bydst, &n->hhead);
+
+		/* paranoia checks follow.
+		 * Check that the reinserted policy matches at least
+		 * saddr or daddr for current node prefix.
+		 *
+		 * Matching both is fine, matching saddr in one policy
+		 * (but not daddr) and then matching only daddr in another
+		 * is a bug.
+		 */
+		matches_s = xfrm_policy_addr_delta(&policy->selector.saddr,
+						   &n->addr,
+						   n->prefixlen,
+						   family) == 0;
+		matches_d = xfrm_policy_addr_delta(&policy->selector.daddr,
+						   &n->addr,
+						   n->prefixlen,
+						   family) == 0;
+		if (matches_s && matches_d)
+			continue;
+
+		WARN_ON_ONCE(!matches_s && !matches_d);
+		if (matches_s)
+			matched_s++;
+		if (matches_d)
+			matched_d++;
+		WARN_ON_ONCE(matched_s && matched_d);
 	}
 }