[Openswan dev] decrypted packet appears at wrong ipsec interface

Fri Jan 16 12:17:12 EST 2009

Hi,

It might be safer to use strncmp and snprintf instead of strcmp and sprintf.

Brad 

>
>>
>> > +    char name[9];
>>
>> Using IFNAMSIZ would be better here.
>>
>>
>Thanks Tino!
>
>Any other comment please?
>This applies to 2.6.x also.
>
>Regards,
>-hiren
>
>---------updated patch-----------
>
>--- net/ipsec/ipsec_rcv.c.orig    Tue Dec 23 13:10:46 2008
>+++ net/ipsec/ipsec_rcv.c    Tue Dec 23 15:29:00 2008
>@@ -1619,18 +1619,44 @@ int klips26_rcv_encap(struct sk_buff *sk  {
>     struct ipsec_rcv_state nirs, *irs = &nirs;
>     struct iphdr *ipp;
>+    char name[IFNAMSIZ];
>+    struct net_device *ipsecdev = NULL, *prvdev = NULL;
>+    struct ipsecpriv *prv = NULL;
>+    int i;
>
>     /* Don't unlink in the middle of a turnaround */
>     KLIPS_INC_USE;
>
>     memset(irs, 0, sizeof(*irs));
>
>-    /* XXX fudge it so that all nat-t stuff comes from ipsec0    */
>-    /*     eventually, the SA itself will determine which device
>-     *     it comes from
>-     */
>-    {
>-      skb->dev = ipsec_get_device(0);
>+    if(skb->dev) {
>+        KLIPS_PRINT(debug_rcv,
>+                "klips_debug:klips26_rcv_encap: "
>+                "<<< Info -- ");
>+        KLIPS_PRINTMORE(debug_rcv, "skb->dev=%s ",
>+                skb->dev->name ? skb->dev->name : "NULL");
>+        KLIPS_PRINTMORE(debug_rcv, "\n");
>+
>+        if(skb->dev->name) {
>+            for(i = 0; i < IPSEC_NUM_IF; i++) {
>+                sprintf(name, IPSEC_DEV_FORMAT, i);
>+                ipsecdev = __ipsec_dev_get(name);
>+                prv = ipsecdev ? (struct ipsecpriv 
>*)(ipsecdev->priv) :
>NULL;
>+                prvdev = prv ? (struct net_device *)(prv->dev) : NULL;
>+                if(prvdev && !strcmp(prvdev->name, skb->dev->name)) {
>+                    skb->dev = ipsecdev;
>+                    KLIPS_PRINT(debug_rcv && prvdev,
>+                            "klips_debug:klips26_rcv_encap: "
>+                            "assigning packet ownership to virtual 
>+ device
>%s from physical device %s.\n",
>+                            name, prvdev->name);
>+                    break;
>+                }
>+            }
>+        }
>+    } else {
>+        KLIPS_PRINT(debug_rcv,
>+                "klips_debug:klips26_rcv_encap: "
>+                "device supplied with skb is NULL\n");
>     }
>
>     /* set up for decap loop */
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6671 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/dev/attachments/20090116/3cc45484/attachment.bin 
-------------- next part --------------
---------------------------------------------------------------------
Intel Shannon Limited
Registered in Ireland
Registered Office: One Spencer Dock, North Wall Quay, Dublin 1
Registered Number: 308263
Business address: Dromore House, East Park, Shannon, Co. Clare

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.