[IPSEC]: Reject packets within replay window but outside the bit mask

Up until this point we've accepted replay window settings greater than 32 but our bit mask can only accomodate 32 packets. Thus any packet with a sequence number within the window but outside the bit mask would be accepted. This patch causes those packets to be rejected instead. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
author: Herbert Xu <herbert@gondor.apana.org.au> 2007-04-13 21:32:53 +0200
committer: Adrian Bunk <bunk@stusta.de> 2007-04-13 22:58:27 +0200
commit: ef846bc01da49cf63d289e97139bef5181e75229 (patch)
tree: 0ec4d20b4d2705ac0d8a1e52566748f93d7e8cfb
parent: 19a0662baeb7f783d345ebdfe3048b834582b294 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 4318aa0f8b86..11a969014fcc 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -776,7 +776,8 @@ int xfrm_replay_check(struct xfrm_state *x, u32 seq)
 		return 0;
 
 	diff = x->replay.seq - seq;
-	if (diff >= x->props.replay_window) {
+	if (diff >= min_t(unsigned int, x->props.replay_window,
+			  sizeof(x->replay.bitmap) * 8)) {
 		x->stats.replay_window++;
 		return -EINVAL;
 	}
author	Herbert Xu <herbert@gondor.apana.org.au>	2007-04-13 21:32:53 +0200
committer	Adrian Bunk <bunk@stusta.de>	2007-04-13 22:58:27 +0200
commit	ef846bc01da49cf63d289e97139bef5181e75229 (patch)
tree	0ec4d20b4d2705ac0d8a1e52566748f93d7e8cfb
parent	19a0662baeb7f783d345ebdfe3048b834582b294 (diff)