diff options
author | David S. Miller <davem@davemloft.net> | 2017-11-09 02:58:35 +0100 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2017-11-09 02:58:35 +0100 |
commit | 6a17280247458ac2c302200e2d6ae36656f75bc6 (patch) | |
tree | 1063ef6609bf185e13de668e07156e795d9cafb4 /net/xfrm/xfrm_input.c | |
parent | Merge branch 'net-sched-race-fix' (diff) | |
parent | xfrm: Fix stack-out-of-bounds read in xfrm_state_find. (diff) | |
download | linux-6a17280247458ac2c302200e2d6ae36656f75bc6.tar.xz linux-6a17280247458ac2c302200e2d6ae36656f75bc6.zip |
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec
Steffen Klassert says:
====================
pull request (net): ipsec 2017-11-09
1) Fix a use after free due to a reallocated skb head.
From Florian Westphal.
2) Fix sporadic lookup failures on labeled IPSEC.
From Florian Westphal.
3) Fix a stack out of bounds when a socket policy is applied
to an IPv6 socket that sends IPv4 packets.
Please pull or let me know if there are problems.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/xfrm/xfrm_input.c')
-rw-r--r-- | net/xfrm/xfrm_input.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index 82d20ee34581..347ab31574d5 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c @@ -266,8 +266,6 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) goto lock; } - daddr = (xfrm_address_t *)(skb_network_header(skb) + - XFRM_SPI_SKB_CB(skb)->daddroff); family = XFRM_SPI_SKB_CB(skb)->family; /* if tunnel is present override skb->mark value with tunnel i_key */ @@ -294,6 +292,8 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) goto drop; } + daddr = (xfrm_address_t *)(skb_network_header(skb) + + XFRM_SPI_SKB_CB(skb)->daddroff); do { if (skb->sp->len == XFRM_MAX_DEPTH) { XFRM_INC_STATS(net, LINUX_MIB_XFRMINBUFFERERROR); |