| From d0cfa548dbde354de986911d3913897b5448faad Mon Sep 17 00:00:00 2001 |
| From: Lior Nahmanson <liorna@nvidia.com> |
| Date: Sun, 30 Jan 2022 13:37:52 +0200 |
| Subject: net: macsec: Verify that send_sci is on when setting Tx sci |
| explicitly |
| |
| When setting Tx sci explicit, the Rx side is expected to use this |
| sci and not recalculate it from the packet.However, in case of Tx sci |
| is explicit and send_sci is off, the receiver is wrongly recalculate |
| the sci from the source MAC address which most likely be different |
| than the explicit sci. |
| |
| Fix by preventing such configuration when macsec newlink is established |
| and return EINVAL error code on such cases. |
| |
| Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver") |
| Signed-off-by: Lior Nahmanson <liorna@nvidia.com> |
| Reviewed-by: Raed Salem <raeds@nvidia.com> |
| Signed-off-by: Raed Salem <raeds@nvidia.com> |
| Link: https://lore.kernel.org/r/1643542672-29403-1-git-send-email-raeds@nvidia.com |
| Signed-off-by: Jakub Kicinski <kuba@kernel.org> |
| --- |
| drivers/net/macsec.c | 9 +++++++++ |
| 1 file changed, 9 insertions(+) |
| |
| --- a/drivers/net/macsec.c |
| +++ b/drivers/net/macsec.c |
| @@ -4047,6 +4047,15 @@ static int macsec_newlink(struct net *ne |
| !macsec_check_offload(macsec->offload, macsec)) |
| return -EOPNOTSUPP; |
| |
| + /* send_sci must be set to true when transmit sci explicitly is set */ |
| + if ((data && data[IFLA_MACSEC_SCI]) && |
| + (data && data[IFLA_MACSEC_INC_SCI])) { |
| + u8 send_sci = !!nla_get_u8(data[IFLA_MACSEC_INC_SCI]); |
| + |
| + if (!send_sci) |
| + return -EINVAL; |
| + } |
| + |
| if (data && data[IFLA_MACSEC_ICV_LEN]) |
| icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]); |
| mtu = real_dev->mtu - icv_len - macsec_extra_len(true); |