From f7d0e5a506396419eb731b6c6cd97ed23c9245c7 Mon Sep 17 00:00:00 2001 From: Randy Dunlap Date: Sun, 20 Apr 2008 16:06:22 -0700 Subject: skbuff: fix missing kernel-doc notation Add kernel-doc notation for ndisc_nodetype: Warning(linux-2.6.25-git2//include/linux/skbuff.h:340): No description found for parameter 'ndisc_nodetype' Signed-off-by: Randy Dunlap Signed-off-by: David S. Miller --- include/linux/skbuff.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include') diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 11fd9f2c409..299ec4b3141 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -242,6 +242,7 @@ typedef unsigned char *sk_buff_data_t; * @queue_mapping: Queue mapping for multiqueue devices * @tc_index: Traffic control index * @tc_verd: traffic control verdict + * @ndisc_nodetype: router type (from link layer) * @dma_cookie: a cookie to one of several possible DMA operations * done by skb DMA functions * @secmark: security marking -- cgit v1.2.3-70-g09d2 From c5d18e984a313adf5a1a4ae69e0b1d93cf410229 Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Tue, 22 Apr 2008 00:46:42 -0700 Subject: [IPSEC]: Fix catch-22 with algorithm IDs above 31 As it stands it's impossible to use any authentication algorithms with an ID above 31 portably. It just happens to work on x86 but fails miserably on ppc64. The reason is that we're using a bit mask to check the algorithm ID but the mask is only 32 bits wide. After looking at how this is used in the field, I have concluded that in the long term we should phase out state matching by IDs because this is made superfluous by the reqid feature. For current applications, the best solution IMHO is to allow all algorithms when the bit masks are all ~0. The following patch does exactly that. This bug was identified by IBM when testing on the ppc64 platform using the NULL authentication algorithm which has an ID of 251. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller --- include/net/xfrm.h | 3 +++ net/key/af_key.c | 2 +- net/xfrm/xfrm_policy.c | 2 +- net/xfrm/xfrm_user.c | 2 ++ 4 files changed, 7 insertions(+), 2 deletions(-) (limited to 'include') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index b56b6a10fe5..baa9f372cfd 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -436,6 +436,9 @@ struct xfrm_tmpl /* May skip this transfomration if no SA is found */ __u8 optional; +/* Skip aalgos/ealgos/calgos checks. */ + __u8 allalgs; + /* Bit mask of algos allowed for acquisition */ __u32 aalgos; __u32 ealgos; diff --git a/net/key/af_key.c b/net/key/af_key.c index 1fb0fe42a72..81a8e5297ad 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c @@ -1907,7 +1907,7 @@ parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq) t->encap_family = xp->family; /* No way to set this via kame pfkey */ - t->aalgos = t->ealgos = t->calgos = ~0; + t->allalgs = 1; xp->xfrm_nr++; return 0; } diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index ab4d0e598a2..e0c0390613c 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -1819,7 +1819,7 @@ xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x, (x->id.spi == tmpl->id.spi || !tmpl->id.spi) && (x->props.reqid == tmpl->reqid || !tmpl->reqid) && x->props.mode == tmpl->mode && - ((tmpl->aalgos & (1<props.aalgo)) || + (tmpl->allalgs || (tmpl->aalgos & (1<props.aalgo)) || !(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) && !(x->props.mode != XFRM_MODE_TRANSPORT && xfrm_state_addr_cmp(tmpl, x, family)); diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 1810f5645bb..22a30ae582a 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -981,6 +981,8 @@ static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut, t->aalgos = ut->aalgos; t->ealgos = ut->ealgos; t->calgos = ut->calgos; + /* If all masks are ~0, then we allow all algorithms. */ + t->allalgs = !~(t->aalgos & t->ealgos & t->calgos); t->encap_family = ut->family; } } -- cgit v1.2.3-70-g09d2