2
0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-24 13:13:57 +08:00

xfrm: add extack support to verify_newpolicy_info

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
This commit is contained in:
Sabrina Dubroca 2022-08-30 16:23:08 +02:00 committed by Steffen Klassert
parent 3bec6c3e83
commit ec2b4f0153

View File

@ -1512,7 +1512,8 @@ static int verify_policy_type(u8 type)
return 0;
}
static int verify_newpolicy_info(struct xfrm_userpolicy_info *p)
static int verify_newpolicy_info(struct xfrm_userpolicy_info *p,
struct netlink_ext_ack *extack)
{
int ret;
@ -1524,6 +1525,7 @@ static int verify_newpolicy_info(struct xfrm_userpolicy_info *p)
break;
default:
NL_SET_ERR_MSG(extack, "Invalid policy share");
return -EINVAL;
}
@ -1533,35 +1535,44 @@ static int verify_newpolicy_info(struct xfrm_userpolicy_info *p)
break;
default:
NL_SET_ERR_MSG(extack, "Invalid policy action");
return -EINVAL;
}
switch (p->sel.family) {
case AF_INET:
if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) {
NL_SET_ERR_MSG(extack, "Invalid prefix length in selector (must be <= 32 for IPv4)");
return -EINVAL;
}
break;
case AF_INET6:
#if IS_ENABLED(CONFIG_IPV6)
if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128)
if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128) {
NL_SET_ERR_MSG(extack, "Invalid prefix length in selector (must be <= 128 for IPv6)");
return -EINVAL;
}
break;
#else
NL_SET_ERR_MSG(extack, "IPv6 support disabled");
return -EAFNOSUPPORT;
#endif
default:
NL_SET_ERR_MSG(extack, "Invalid selector family");
return -EINVAL;
}
ret = verify_policy_dir(p->dir);
if (ret)
return ret;
if (p->index && (xfrm_policy_id2dir(p->index) != p->dir))
if (p->index && (xfrm_policy_id2dir(p->index) != p->dir)) {
NL_SET_ERR_MSG(extack, "Policy index doesn't match direction");
return -EINVAL;
}
return 0;
}
@ -1768,7 +1779,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
int err;
int excl;
err = verify_newpolicy_info(p);
err = verify_newpolicy_info(p, extack);
if (err)
return err;
err = verify_sec_ctx_len(attrs);
@ -2501,7 +2512,7 @@ static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh,
xfrm_mark_get(attrs, &mark);
err = verify_newpolicy_info(&ua->policy);
err = verify_newpolicy_info(&ua->policy, extack);
if (err)
goto free_state;
err = verify_sec_ctx_len(attrs);
@ -3284,7 +3295,7 @@ static struct xfrm_policy *xfrm_compile_policy(struct sock *sk, int opt,
*dir = -EINVAL;
if (len < sizeof(*p) ||
verify_newpolicy_info(p))
verify_newpolicy_info(p, NULL))
return NULL;
nr = ((len - sizeof(*p)) / sizeof(*ut));