[Swan-dev] mystery in linux/net/ipsec/ipsec_rcv.c
Paul Wouters
paul at nohats.ca
Sat Jun 30 16:30:47 UTC 2018
On Sat, 30 Jun 2018, D. Hugh Redelmeier wrote:
> (This is kernel code so my understanding of it is limited.)
>
> There are two copies of this code fragment:
>
> if (((struct sockaddr_in6*)(ipsp->ips_addr_s))->sin6_family ==
> AF_INET6)
> psin6 = (struct sockaddr_in6*)(ipsp->ips_addr_s);
> else if (((struct sockaddr_in*)(ipsp->ips_addr_s))->sin_family
> == AF_INET6)
> psin = (struct sockaddr_in*)(ipsp->ips_addr_s);
>
> I'm guessing that the second AF_INET6 was intended to be AF_INET.
That seems to be the case.
> If I'm not wrong, why have we not noticed this since it was introduced
> by c90c46be434cc0a68a8f5e1b0e88a9d019a9f733 in 2010?
I don't know, but I do see this code is within
sysctl_ipsec_inbound_policy_check, and I do have some vague memory of
people needing to change that setting?
> If we fix these two bugs, subsequent code paths will change. So new
> problems might appear.
>
> In particular, the current code (quoted above) seems to think IPv6 is
> always being used. That's not likely. The following code some how
> survives this blunder.
Please commit the fix. I don't see any valid reason for leaving it as
is.
Paul
More information about the Swan-dev
mailing list