• Steffen Klassert's avatar
    xfrm: Assign the inner mode output function to the dst entry · 43a4dea4
    Steffen Klassert authored
    As it is, we assign the outer modes output function to the dst entry
    when we create the xfrm bundle. This leads to two problems on interfamily
    scenarios. We might insert ipv4 packets into ip6_fragment when called
    from xfrm6_output. The system crashes if we try to fragment an ipv4
    packet with ip6_fragment. This issue was introduced with git commit
    ad0081e4 (ipv6: Fragment locally generated tunnel-mode IPSec6 packets
    as needed). The second issue is, that we might insert ipv4 packets in
    netfilter6 and vice versa on interfamily scenarios.
    
    With this patch we assign the inner mode output function to the dst entry
    when we create the xfrm bundle. So xfrm4_output/xfrm6_output from the inner
    mode is used and the right fragmentation and netfilter functions are called.
    We switch then to outer mode with the output_finish functions.
    Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    43a4dea4
xfrm6_state.c 4.65 KB