From: Steffen Klassert <steffen.klassert@secunet.com>
Date: Mon, 28 Mar 2011 19:48:09 +0000 (+0000)
Subject: xfrm: Restrict extended sequence numbers to esp
X-Git-Tag: firefly_0821_release~7613^2~1737^2
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=02aadf72fe2c83f145e3437734e66be53abae481;p=firefly-linux-kernel-4.4.55.git

xfrm: Restrict extended sequence numbers to esp

The IPsec extended sequence numbers are fully implemented just for
esp. So restrict the usage to esp until other protocols have
support too.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index ccc4c0c8ef00..3d15d3e1b2c4 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -127,6 +127,9 @@ static inline int verify_replay(struct xfrm_usersa_info *p,
 	if (!rt)
 		return 0;
 
+	if (p->id.proto != IPPROTO_ESP)
+		return -EINVAL;
+
 	if (p->replay_window != 0)
 		return -EINVAL;