From 2dbe403fcb0dac676d4f57125238630812342b9b Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Tue, 21 Feb 2017 22:09:56 +0100 Subject: [PATCH] macsec: fix input range of 'icvlen' parameter Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1373121 Upstream Status: iproute2.git commit f20f5f79909fd Conflicts: * Added missing MACSEC_STD_ICV_LEN define to linux headers. commit f20f5f79909fdc6327fcd015a3850645a236729d Author: Davide Caratti Date: Fri Sep 9 16:02:22 2016 +0200 macsec: fix input range of 'icvlen' parameter the maximum possible ICV length in a MACsec frame is 16 octects, not 32: fix get_icvlen() accordingly, so that a proper error message is displayed in case input 'icvlen' is greater than 16. Signed-off-by: Davide Caratti Acked-by: Phil Sutter Acked-by: Sabrina Dubroca --- include/linux/if_macsec.h | 2 ++ ip/ipmacsec.c | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/include/linux/if_macsec.h b/include/linux/if_macsec.h index cbd4faa..22939a3 100644 --- a/include/linux/if_macsec.h +++ b/include/linux/if_macsec.h @@ -26,6 +26,8 @@ #define MACSEC_MIN_ICV_LEN 8 #define MACSEC_MAX_ICV_LEN 32 +/* upper limit for ICV length as recommended by IEEE802.1AE-2006 */ +#define MACSEC_STD_ICV_LEN 16 enum macsec_attrs { MACSEC_ATTR_UNSPEC, diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c index 596594f..0c51bfc 100644 --- a/ip/ipmacsec.c +++ b/ip/ipmacsec.c @@ -167,9 +167,9 @@ static void get_icvlen(__u8 *icvlen, char *arg) if (ret) invarg("expected ICV length", arg); - if (*icvlen < MACSEC_MIN_ICV_LEN || *icvlen > MACSEC_MAX_ICV_LEN) + if (*icvlen < MACSEC_MIN_ICV_LEN || *icvlen > MACSEC_STD_ICV_LEN) invarg("ICV length must be in the range {" - STR(MACSEC_MIN_ICV_LEN) ".." STR(MACSEC_MAX_ICV_LEN) + STR(MACSEC_MIN_ICV_LEN) ".." STR(MACSEC_STD_ICV_LEN) "}", arg); } -- 1.8.3.1