From 2dbe403fcb0dac676d4f57125238630812342b9b Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 21 Feb 2017 22:09:56 +0100
Subject: [PATCH] macsec: fix input range of 'icvlen' parameter

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1373121
Upstream Status: iproute2.git commit f20f5f79909fd
Conflicts:
* Added missing MACSEC_STD_ICV_LEN define to linux headers.

commit f20f5f79909fdc6327fcd015a3850645a236729d
Author: Davide Caratti <dcaratti@redhat.com>
Date:   Fri Sep 9 16:02:22 2016 +0200

    macsec: fix input range of 'icvlen' parameter

    the maximum possible ICV length in a MACsec frame is 16 octects, not 32:
    fix get_icvlen() accordingly, so that a proper error message is displayed
    in case input 'icvlen' is greater than 16.

    Signed-off-by: Davide Caratti <dcaratti@redhat.com>
    Acked-by: Phil Sutter <phil@nwl.cc>
    Acked-by: Sabrina Dubroca <sd@queasysnail.net>
---
 include/linux/if_macsec.h | 2 ++
 ip/ipmacsec.c             | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/include/linux/if_macsec.h b/include/linux/if_macsec.h
index cbd4faa..22939a3 100644
--- a/include/linux/if_macsec.h
+++ b/include/linux/if_macsec.h
@@ -26,6 +26,8 @@
 
 #define MACSEC_MIN_ICV_LEN 8
 #define MACSEC_MAX_ICV_LEN 32
+/* upper limit for ICV length as recommended by IEEE802.1AE-2006 */
+#define MACSEC_STD_ICV_LEN 16
 
 enum macsec_attrs {
 	MACSEC_ATTR_UNSPEC,
diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c
index 596594f..0c51bfc 100644
--- a/ip/ipmacsec.c
+++ b/ip/ipmacsec.c
@@ -167,9 +167,9 @@ static void get_icvlen(__u8 *icvlen, char *arg)
 	if (ret)
 		invarg("expected ICV length", arg);
 
-	if (*icvlen < MACSEC_MIN_ICV_LEN || *icvlen > MACSEC_MAX_ICV_LEN)
+	if (*icvlen < MACSEC_MIN_ICV_LEN || *icvlen > MACSEC_STD_ICV_LEN)
 		invarg("ICV length must be in the range {"
-		       STR(MACSEC_MIN_ICV_LEN) ".." STR(MACSEC_MAX_ICV_LEN)
+		       STR(MACSEC_MIN_ICV_LEN) ".." STR(MACSEC_STD_ICV_LEN)
 		       "}", arg);
 }
 
-- 
1.8.3.1