Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b7ea81a5 authored Nov 08, 2011 by Nick Bowler Committed by David S. Miller Nov 09, 2011

ah: Read nexthdr value before overwriting it in ahash input callback.



The AH4/6 ahash input callbacks read out the nexthdr field from the AH
header *after* they overwrite that header.  This is obviously not going
to end well.  Fix it up.

Signed-off-by: Nick Bowler <nbowler@elliptictech.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 069294e8

net/ipv4/ah4.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -262,12 +262,12 @@ static void ah_input_done(struct crypto_async_request *base, int err)
		if (err)
		goto out;

		err = ah->nexthdr;

		skb->network_header += ah_hlen;
		memcpy(skb_network_header(skb), work_iph, ihl);
		__skb_pull(skb, ah_hlen + ihl);
		skb_set_transport_header(skb, -ihl);

		err = ah->nexthdr;
		out:
		kfree(AH_SKB_CB(skb)->tmp);
		xfrm_input_resume(skb, err);

net/ipv6/ah6.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -464,12 +464,12 @@ static void ah6_input_done(struct crypto_async_request *base, int err)
		if (err)
		goto out;

		err = ah->nexthdr;

		skb->network_header += ah_hlen;
		memcpy(skb_network_header(skb), work_iph, hdr_len);
		__skb_pull(skb, ah_hlen + hdr_len);
		skb_set_transport_header(skb, -hdr_len);

		err = ah->nexthdr;
		out:
		kfree(AH_SKB_CB(skb)->tmp);
		xfrm_input_resume(skb, err);