Fix IPSEC replay window handling

[IPSEC]: Reject packets within replay window but outside the bit mask

Up until this point we've accepted replay window settings greater than
32 but our bit mask can only accomodate 32 packets.  Thus any packet
with a sequence number within the window but outside the bit mask would
be accepted.

This patch causes those packets to be rejected instead.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index f0f2c1a0737275785d83883f51d945f67644b86b..7cd0f3c811f40c72751b3dff83564dfe70c7c40c 100644 (file)
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -1220,7 +1220,8 @@ int xfrm_replay_check(struct xfrm_state *x, __be32 net_seq)
                return 0;
 
        diff = x->replay.seq - seq;
-       if (diff >= x->props.replay_window) {
+       if (diff >= min_t(unsigned int, x->props.replay_window,
+                         sizeof(x->replay.bitmap) * 8)) {
                x->stats.replay_window++;
                return -EINVAL;
        }