macsec: limit ICV length to 16 octets
IEEE 802.1AE-2006 standard recommends that the ICV element in a MACsec
frame should not exceed 16 octets: add MACSEC_STD_ICV_LEN in uapi
definitions accordingly, and avoid accepting configurations where the ICV
length exceeds the standard value. Leave definition of MACSEC_MAX_ICV_LEN
unchanged for backwards compatibility with userspace programs.
Fixes: dece8d2b78
("uapi: add MACsec bits")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Родитель
baedbe5588
Коммит
2ccbe2cb79
|
@ -510,7 +510,7 @@ static bool macsec_validate_skb(struct sk_buff *skb, u16 icv_len)
|
|||
}
|
||||
|
||||
#define MACSEC_NEEDED_HEADROOM (macsec_extra_len(true))
|
||||
#define MACSEC_NEEDED_TAILROOM MACSEC_MAX_ICV_LEN
|
||||
#define MACSEC_NEEDED_TAILROOM MACSEC_STD_ICV_LEN
|
||||
|
||||
static void macsec_fill_iv(unsigned char *iv, sci_t sci, u32 pn)
|
||||
{
|
||||
|
@ -3217,7 +3217,7 @@ static int macsec_validate_attr(struct nlattr *tb[], struct nlattr *data[])
|
|||
case MACSEC_DEFAULT_CIPHER_ID:
|
||||
case MACSEC_DEFAULT_CIPHER_ALT:
|
||||
if (icv_len < MACSEC_MIN_ICV_LEN ||
|
||||
icv_len > MACSEC_MAX_ICV_LEN)
|
||||
icv_len > MACSEC_STD_ICV_LEN)
|
||||
return -EINVAL;
|
||||
break;
|
||||
default:
|
||||
|
|
|
@ -26,6 +26,8 @@
|
|||
|
||||
#define MACSEC_MIN_ICV_LEN 8
|
||||
#define MACSEC_MAX_ICV_LEN 32
|
||||
/* upper limit for ICV length as recommended by IEEE802.1AE-2006 */
|
||||
#define MACSEC_STD_ICV_LEN 16
|
||||
|
||||
enum macsec_attrs {
|
||||
MACSEC_ATTR_UNSPEC,
|
||||
|
|
Загрузка…
Ссылка в новой задаче