On Wed, Jan 17, 2018 at 03:52:41PM +0200, [email protected] wrote: > From: Yossi Kuperman <[email protected]> > > Current code configures the hardware with a new SA before the state has been > fully initialized. During this time interval, an incoming ESP packet can cause > a crash due to a NULL dereference. More specifically, xfrm_input() considers > the packet as valid, and yet, anti-replay mechanism is not initialized. > > Move hardware configuration to the end of xfrm_state_construct(), and mark > the state as valid once the SA is fully initialized. > > Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API") > Signed-off-by: Aviad Yehezkel <[email protected]> > Signed-off-by: Aviv Heller <[email protected]> > Signed-off-by: Yossi Kuperman <[email protected]>
Applied, thanks Yossi!
