lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

ah: Read nexthdr value before overwriting it in ahash input callback.

Browse Source 
The AH4/6 ahash input callbacks read out the nexthdr field from the AH
header *after* they overwrite that header.  This is obviously not going
to end well.  Fix it up.

Signed-off-by: Nick Bowler <nbowler@elliptictech.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Nick Bowler
2011-11-08 12:12:45 +00:00
committed by David S. Miller
parent 069294e813
commit b7ea81a58a
2 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
net/ipv4/ah4.c
View File

@@ -262,12 +262,12 @@ static void ah_input_done(struct crypto_async_request *base, int err)
if (err) if (err)
goto out; goto out;
err = ah->nexthdr;
skb->network_header += ah_hlen; skb->network_header += ah_hlen;
memcpy(skb_network_header(skb), work_iph, ihl); memcpy(skb_network_header(skb), work_iph, ihl);
__skb_pull(skb, ah_hlen + ihl); __skb_pull(skb, ah_hlen + ihl);
skb_set_transport_header(skb, -ihl); skb_set_transport_header(skb, -ihl);
err = ah->nexthdr;
out: out:
kfree(AH_SKB_CB(skb)->tmp); kfree(AH_SKB_CB(skb)->tmp);
xfrm_input_resume(skb, err); xfrm_input_resume(skb, err);

4
net/ipv6/ah6.c
View File

@@ -464,12 +464,12 @@ static void ah6_input_done(struct crypto_async_request *base, int err)
if (err) if (err)
goto out; goto out;
err = ah->nexthdr;
skb->network_header += ah_hlen; skb->network_header += ah_hlen;
memcpy(skb_network_header(skb), work_iph, hdr_len); memcpy(skb_network_header(skb), work_iph, hdr_len);
__skb_pull(skb, ah_hlen + hdr_len); __skb_pull(skb, ah_hlen + hdr_len);
skb_set_transport_header(skb, -hdr_len); skb_set_transport_header(skb, -hdr_len);
err = ah->nexthdr;
out: out:
kfree(AH_SKB_CB(skb)->tmp); kfree(AH_SKB_CB(skb)->tmp);
xfrm_input_resume(skb, err); xfrm_input_resume(skb, err);