xfrm: Restrict percpu SA attribute to specific netlink message types

klassert · klassert · commit 83dfce38c49f · 2024-10-29T11:56:24.000+01:00
Reject the usage of XFRMA_SA_PCPU in xfrm netlink messages when
it's not applicable.

Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Tested-by: Antony Antony &lt;antony.antony@secunet.com&gt;
Tested-by: Tobias Brunner &lt;tobias@strongswan.org&gt;
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
@@ -3282,6 +3282,20 @@ static int xfrm_reject_unused_attr(int type, struct nlattr **attrs,
 		}
 	}
 
+	if (attrs[XFRMA_SA_PCPU]) {
+		switch (type) {
+		case XFRM_MSG_NEWSA:
+		case XFRM_MSG_UPDSA:
+		case XFRM_MSG_ALLOCSPI:
+		case XFRM_MSG_ACQUIRE:
+
+			break;
+		default:
+			NL_SET_ERR_MSG(extack, "Invalid attribute SA_PCPU");
+			return -EINVAL;
+		}
+	}
+
 	return 0;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -3282,6 +3282,20 @@ static int xfrm_reject_unused_attr(int type, struct nlattr **attrs,`
`3282`	`3282`	`}`
`3283`	`3283`	`}`
`3284`	`3284`
	`3285`	`+ if (attrs[XFRMA_SA_PCPU]) {`
	`3286`	`+ switch (type) {`
	`3287`	`+ case XFRM_MSG_NEWSA:`
	`3288`	`+ case XFRM_MSG_UPDSA:`
	`3289`	`+ case XFRM_MSG_ALLOCSPI:`
	`3290`	`+ case XFRM_MSG_ACQUIRE:`
	`3291`	`+`
	`3292`	`+ break;`
	`3293`	`+ default:`
	`3294`	`+ NL_SET_ERR_MSG(extack, "Invalid attribute SA_PCPU");`
	`3295`	`+ return -EINVAL;`
	`3296`	`+ }`
	`3297`	`+ }`
	`3298`	`+`
`3285`	`3299`	`return 0;`
`3286`	`3300`	`}`
`3287`	`3301`