diff options
| author | Herbert Xu <herbert@gondor.apana.org.au> | 2017-12-15 16:40:44 +1100 |
|---|---|---|
| committer | Steffen Klassert <steffen.klassert@secunet.com> | 2017-12-19 08:23:21 +0100 |
| commit | acf568ee859f098279eadf551612f103afdacb4e (patch) | |
| tree | 2ca6509d139079ad95e37bdfb94bf570fc094a6d /net/openvswitch/Makefile | |
| parent | d2950278d2d04ff5314abeb38d9c59c4e7c0ee53 (diff) | |
| download | linux-acf568ee859f098279eadf551612f103afdacb4e.tar.bz2 | |
xfrm: Reinject transport-mode packets through tasklet
This is an old bugbear of mine:
https://www.mail-archive.com/netdev@vger.kernel.org/msg03894.html
By crafting special packets, it is possible to cause recursion
in our kernel when processing transport-mode packets at levels
that are only limited by packet size.
The easiest one is with DNAT, but an even worse one is where
UDP encapsulation is used in which case you just have to insert
an UDP encapsulation header in between each level of recursion.
This patch avoids this problem by reinjecting tranport-mode packets
through a tasklet.
Fixes: b05e106698d9 ("[IPV4/6]: Netfilter IPsec input hooks")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'net/openvswitch/Makefile')
0 files changed, 0 insertions, 0 deletions