[XFRM]: Make {__,}xfrm_policy_check behave identically wrt. empty policy lists.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>

[XFRM]: Make {__,}xfrm_policy_check behave identically wrt. empty policy lists.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
274837fb · Herbert Xu · David S. Miller · f47d2349 · 274837fb
Commit 274837fb authored Oct 20, 2004 by Herbert Xu Committed by David S. Miller Oct 20, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 5 deletions

net/xfrm/xfrm_policy.c net/xfrm/xfrm_policy.c +13 -5

No files found.
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -893,6 +893,16 @@ _decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family)
 	return 0;
 }

+static inline int secpath_has_tunnel(struct sec_path *sp, int k)
+{
+	for (; k < sp->len; k++) {
+		if (sp->x[k].xvec->props.mode)
+			return 1;
+	}
+
+	return 0;
+}
+
 int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, 
 			unsigned short family)
 {
@@ -930,7 +940,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
 					xfrm_policy_lookup);

 	if (!pol)
-		return !skb->sp;
+		return !skb->sp || !secpath_has_tunnel(skb->sp, 0);

 	pol->curlft.use_time = (unsigned long)xtime.tv_sec;

@@ -954,10 +964,8 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
 				goto reject;
 		}

-		for (; k < sp->len; k++) {
-			if (sp->x[k].xvec->props.mode)
-				goto reject;
-		}
+		if (secpath_has_tunnel(sp, k))
+			goto reject;

 		xfrm_pol_put(pol);
 		return 1;