Commit 274837fb authored by Herbert Xu's avatar Herbert Xu Committed by David S. Miller

[XFRM]: Make {__,}xfrm_policy_check behave identically wrt. empty policy lists.

Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent f47d2349
......@@ -893,6 +893,16 @@ _decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family)
return 0;
}
static inline int secpath_has_tunnel(struct sec_path *sp, int k)
{
for (; k < sp->len; k++) {
if (sp->x[k].xvec->props.mode)
return 1;
}
return 0;
}
int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
unsigned short family)
{
......@@ -930,7 +940,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
xfrm_policy_lookup);
if (!pol)
return !skb->sp;
return !skb->sp || !secpath_has_tunnel(skb->sp, 0);
pol->curlft.use_time = (unsigned long)xtime.tv_sec;
......@@ -954,10 +964,8 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
goto reject;
}
for (; k < sp->len; k++) {
if (sp->x[k].xvec->props.mode)
goto reject;
}
if (secpath_has_tunnel(sp, k))
goto reject;
xfrm_pol_put(pol);
return 1;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment