On Wed, 2017-08-16 at 11:03 +0200, Jakub Sitnicki wrote:
> On Tue, 15 Aug 2017 15:25:10 -0700
> Jonathan Basseri <misterik...@google.com> wrote:
>
> > If an IPv6 socket has a valid dst cache, then xfrm_lookup_route will get
> > skipped. However, the cache is not invalidated when applying policy to a
> > socket (i.e. IPV6_XFRM_POLICY). The result is that new policies are
> > sometimes ignored on those sockets.
> >
> > This can be demonstrated like so,
> > 1. Create UDPv6 socket.
> > 2. connect() the socket.
> > 3. Apply an outbound XFRM policy to the socket.
> > 4. send() data on the socket.
> >
> > Packets will continue to be sent in the clear instead of matching an
> > xfrm or returning a no-match error (EAGAIN). This affects calls to
> > send() and not sendto().
> >
> > Note: Creating normal XFRM policies should have a similar effect on
> > sk_dst_cache entries that match the policy, but that is not fixed in
> > this patch.
> >
> > Fixes: 00bc0ef5880d ("ipv6: Skip XFRM lookup if dst_entry in socket cache
> > is valid")
> > Tested: https://android-review.googlesource.com/418659
> > Signed-off-by: Jonathan Basseri <misterik...@google.com>
> > ---
>
> Thank you for the fix.
>
> Acked-by: Jakub Sitnicki <j...@redhat.com>
I do not believe this fix is correct.
What happens if the socket is TCP ?
sk_dst_reset(sk) is not safe for them.
This might add use-after-free, and eventually crash.
