Merge branch 'ipsec-sa-cfg-equals'
authorTobias Brunner <tobias@strongswan.org>
Thu, 9 Jun 2016 09:46:06 +0000 (11:46 +0200)
committerTobias Brunner <tobias@strongswan.org>
Thu, 9 Jun 2016 09:46:06 +0000 (11:46 +0200)
Fixes the comparison of ipsec_sa_cfg_t instances in case there is
padding that's not initialized to zero.

Fixes #1503.

src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
src/libstrongswan/ipsec/ipsec_types.c
src/libstrongswan/ipsec/ipsec_types.h

index add4761..ab896a4 100644 (file)
@@ -414,8 +414,9 @@ static bool ipsec_sa_equals(ipsec_sa_t *sa, ipsec_sa_t *other_sa)
 {
        return sa->src->ip_equals(sa->src, other_sa->src) &&
                   sa->dst->ip_equals(sa->dst, other_sa->dst) &&
-                  memeq(&sa->mark, &other_sa->mark, sizeof(mark_t)) &&
-                  memeq(&sa->cfg, &other_sa->cfg, sizeof(ipsec_sa_cfg_t));
+                  sa->mark.value == other_sa->mark.value &&
+                  sa->mark.mask == other_sa->mark.mask &&
+                  ipsec_sa_cfg_equals(&sa->cfg, &other_sa->cfg);
 }
 
 /**
index be223b7..a0fd429 100644 (file)
@@ -352,7 +352,7 @@ static bool ipsec_sa_equals(ipsec_sa_t *sa, ipsec_sa_t *other_sa)
 {
        return sa->src->ip_equals(sa->src, other_sa->src) &&
                   sa->dst->ip_equals(sa->dst, other_sa->dst) &&
-                  memeq(&sa->cfg, &other_sa->cfg, sizeof(ipsec_sa_cfg_t));
+                  ipsec_sa_cfg_equals(&sa->cfg, &other_sa->cfg);
 }
 
 /**
index f2ee11e..a52a1eb 100644 (file)
@@ -40,6 +40,22 @@ ENUM(ipcomp_transform_names, IPCOMP_NONE, IPCOMP_LZJH,
 /*
  * See header
  */
+bool ipsec_sa_cfg_equals(ipsec_sa_cfg_t *a, ipsec_sa_cfg_t *b)
+{
+       return a->mode == b->mode &&
+               a->reqid == b->reqid &&
+               a->policy_count == b->policy_count &&
+               a->esp.use == b->esp.use &&
+               a->esp.spi == b->esp.spi &&
+               a->ah.use == b->ah.use &&
+               a->ah.spi == b->ah.spi &&
+               a->ipcomp.transform == b->ipcomp.transform &&
+               a->ipcomp.cpi == b->ipcomp.cpi;
+}
+
+/*
+ * See header
+ */
 bool mark_from_string(const char *value, mark_t *mark)
 {
        char *endptr;
index cbc0d08..c93d955 100644 (file)
@@ -143,6 +143,15 @@ struct ipsec_sa_cfg_t {
 };
 
 /**
+ * Compare two ipsec_sa_cfg_t objects for equality.
+ *
+ * @param a                    first object
+ * @param b                    second object
+ * @return                     TRUE if both objects are equal
+ */
+bool ipsec_sa_cfg_equals(ipsec_sa_cfg_t *a, ipsec_sa_cfg_t *b);
+
+/**
  * A lifetime_cfg_t defines the lifetime limits of an SA.
  *
  * Set any of these values to 0 to ignore.