From: Steffen Klassert <steffen.klassert@secunet.com>
Date: Wed, 23 Oct 2024 10:53:45 +0000 (+0200)
Subject: xfrm: Restrict percpu SA attribute to specific netlink message types
X-Git-Tag: v6.13-rc1~135^2~23^2~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=83dfce38c49f3242c7edf5baab5c79c9ec360ecc;p=thirdparty%2Fkernel%2Flinux.git

xfrm: Restrict percpu SA attribute to specific netlink message types

Reject the usage of XFRMA_SA_PCPU in xfrm netlink messages when
it's not applicable.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Tested-by: Antony Antony <antony.antony@secunet.com>
Tested-by: Tobias Brunner <tobias@strongswan.org>
---

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index e4d448950d059..b6ce2b3c6b874 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -3282,6 +3282,20 @@ static int xfrm_reject_unused_attr(int type, struct nlattr **attrs,
 		}
 	}
 
+	if (attrs[XFRMA_SA_PCPU]) {
+		switch (type) {
+		case XFRM_MSG_NEWSA:
+		case XFRM_MSG_UPDSA:
+		case XFRM_MSG_ALLOCSPI:
+		case XFRM_MSG_ACQUIRE:
+
+			break;
+		default:
+			NL_SET_ERR_MSG(extack, "Invalid attribute SA_PCPU");
+			return -EINVAL;
+		}
+	}
+
 	return 0;
 }