[IPSEC]: Reject packets within replay window but outside the bit mask

Up until this point we've accepted replay window settings greater than 32 but our bit mask can only accomodate 32 packets. Thus any packet with a sequence number within the window but outside the bit mask would be accepted. This patch causes those packets to be rejected instead. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>

[IPSEC]: Reject packets within replay window but outside the bit mask
4c4d51a7 · Herbert Xu · David S. Miller · 60e5c166 · 4c4d51a7
Commit 4c4d51a7 authored 17 years ago by Herbert Xu Committed by David S. Miller 17 years ago
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -1371,7 +1371,8 @@ int xfrm_replay_check(struct xfrm_state *x, __be32 net_seq)
 		return 0;

 	diff = x->replay.seq - seq;
-	if (diff >= x->props.replay_window) {
+	if (diff >= min_t(unsigned int, x->props.replay_window,
+			  sizeof(x->replay.bitmap) * 8)) {
 		x->stats.replay_window++;
 		return -EINVAL;
 	}