[IPSEC]: Reject packets within replay window but outside the bit mask

Up until this point we've accepted replay window settings greater than
32 but our bit mask can only accomodate 32 packets.  Thus any packet
with a sequence number within the window but outside the bit mask would
be accepted.

This patch causes those packets to be rejected instead.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>

diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 4318aa0f8b8606f65b71f70e8fc63b6a5485ec90..11a969014fcc5078175583eb06d1405b362150ed 100644 (file)
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -776,7 +776,8 @@ int xfrm_replay_check(struct xfrm_state *x, u32 seq)
                return 0;
 
        diff = x->replay.seq - seq;
-       if (diff >= x->props.replay_window) {
+       if (diff >= min_t(unsigned int, x->props.replay_window,
+                         sizeof(x->replay.bitmap) * 8)) {
                x->stats.replay_window++;
                return -EINVAL;
        }