diff options
| author | Jason A. Donenfeld <Jason@zx2c4.com> | 2017-06-03 22:16:23 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2017-06-04 23:01:47 -0400 |
| commit | 3f29770723fe498a5c5f57c3a31a996ebdde03e1 (patch) | |
| tree | d93c21ae11e1ca396088bc931fc9a479b9a1b211 | |
| parent | 48a1df65334b74bd7531f932cca5928932abf769 (diff) | |
ipsec: check return value of skb_to_sgvec always
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/ipv4/ah4.c | 8 | ||||
| -rw-r--r-- | net/ipv4/esp4.c | 20 | ||||
| -rw-r--r-- | net/ipv6/ah6.c | 8 | ||||
| -rw-r--r-- | net/ipv6/esp6.c | 20 |
4 files changed, 38 insertions, 18 deletions
diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c index 22377c8ff14b..e8f862358518 100644 --- a/net/ipv4/ah4.c +++ b/net/ipv4/ah4.c | |||
| @@ -220,7 +220,9 @@ static int ah_output(struct xfrm_state *x, struct sk_buff *skb) | |||
| 220 | ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low); | 220 | ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low); |
| 221 | 221 | ||
| 222 | sg_init_table(sg, nfrags + sglists); | 222 | sg_init_table(sg, nfrags + sglists); |
| 223 | skb_to_sgvec_nomark(skb, sg, 0, skb->len); | 223 | err = skb_to_sgvec_nomark(skb, sg, 0, skb->len); |
| 224 | if (unlikely(err < 0)) | ||
| 225 | goto out_free; | ||
| 224 | 226 | ||
| 225 | if (x->props.flags & XFRM_STATE_ESN) { | 227 | if (x->props.flags & XFRM_STATE_ESN) { |
| 226 | /* Attach seqhi sg right after packet payload */ | 228 | /* Attach seqhi sg right after packet payload */ |
| @@ -393,7 +395,9 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb) | |||
| 393 | skb_push(skb, ihl); | 395 | skb_push(skb, ihl); |
| 394 | 396 | ||
| 395 | sg_init_table(sg, nfrags + sglists); | 397 | sg_init_table(sg, nfrags + sglists); |
| 396 | skb_to_sgvec_nomark(skb, sg, 0, skb->len); | 398 | err = skb_to_sgvec_nomark(skb, sg, 0, skb->len); |
| 399 | if (unlikely(err < 0)) | ||
| 400 | goto out_free; | ||
| 397 | 401 | ||
| 398 | if (x->props.flags & XFRM_STATE_ESN) { | 402 | if (x->props.flags & XFRM_STATE_ESN) { |
| 399 | /* Attach seqhi sg right after packet payload */ | 403 | /* Attach seqhi sg right after packet payload */ |
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index 93322f895eab..d815d1755473 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c | |||
| @@ -377,9 +377,11 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * | |||
| 377 | esp->esph = esph; | 377 | esp->esph = esph; |
| 378 | 378 | ||
| 379 | sg_init_table(sg, esp->nfrags); | 379 | sg_init_table(sg, esp->nfrags); |
| 380 | skb_to_sgvec(skb, sg, | 380 | err = skb_to_sgvec(skb, sg, |
| 381 | (unsigned char *)esph - skb->data, | 381 | (unsigned char *)esph - skb->data, |
| 382 | assoclen + ivlen + esp->clen + alen); | 382 | assoclen + ivlen + esp->clen + alen); |
| 383 | if (unlikely(err < 0)) | ||
| 384 | goto error; | ||
| 383 | 385 | ||
| 384 | if (!esp->inplace) { | 386 | if (!esp->inplace) { |
| 385 | int allocsize; | 387 | int allocsize; |
| @@ -403,9 +405,11 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * | |||
| 403 | spin_unlock_bh(&x->lock); | 405 | spin_unlock_bh(&x->lock); |
| 404 | 406 | ||
| 405 | sg_init_table(dsg, skb_shinfo(skb)->nr_frags + 1); | 407 | sg_init_table(dsg, skb_shinfo(skb)->nr_frags + 1); |
| 406 | skb_to_sgvec(skb, dsg, | 408 | err = skb_to_sgvec(skb, dsg, |
| 407 | (unsigned char *)esph - skb->data, | 409 | (unsigned char *)esph - skb->data, |
| 408 | assoclen + ivlen + esp->clen + alen); | 410 | assoclen + ivlen + esp->clen + alen); |
| 411 | if (unlikely(err < 0)) | ||
| 412 | goto error; | ||
| 409 | } | 413 | } |
| 410 | 414 | ||
| 411 | if ((x->props.flags & XFRM_STATE_ESN)) | 415 | if ((x->props.flags & XFRM_STATE_ESN)) |
| @@ -690,7 +694,9 @@ skip_cow: | |||
| 690 | esp_input_set_header(skb, seqhi); | 694 | esp_input_set_header(skb, seqhi); |
| 691 | 695 | ||
| 692 | sg_init_table(sg, nfrags); | 696 | sg_init_table(sg, nfrags); |
| 693 | skb_to_sgvec(skb, sg, 0, skb->len); | 697 | err = skb_to_sgvec(skb, sg, 0, skb->len); |
| 698 | if (unlikely(err < 0)) | ||
| 699 | goto out; | ||
| 694 | 700 | ||
| 695 | skb->ip_summed = CHECKSUM_NONE; | 701 | skb->ip_summed = CHECKSUM_NONE; |
| 696 | 702 | ||
diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c index dda6035e3b84..755f38271dd5 100644 --- a/net/ipv6/ah6.c +++ b/net/ipv6/ah6.c | |||
| @@ -423,7 +423,9 @@ static int ah6_output(struct xfrm_state *x, struct sk_buff *skb) | |||
| 423 | ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low); | 423 | ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low); |
| 424 | 424 | ||
| 425 | sg_init_table(sg, nfrags + sglists); | 425 | sg_init_table(sg, nfrags + sglists); |
| 426 | skb_to_sgvec_nomark(skb, sg, 0, skb->len); | 426 | err = skb_to_sgvec_nomark(skb, sg, 0, skb->len); |
| 427 | if (unlikely(err < 0)) | ||
| 428 | goto out_free; | ||
| 427 | 429 | ||
| 428 | if (x->props.flags & XFRM_STATE_ESN) { | 430 | if (x->props.flags & XFRM_STATE_ESN) { |
| 429 | /* Attach seqhi sg right after packet payload */ | 431 | /* Attach seqhi sg right after packet payload */ |
| @@ -606,7 +608,9 @@ static int ah6_input(struct xfrm_state *x, struct sk_buff *skb) | |||
| 606 | ip6h->hop_limit = 0; | 608 | ip6h->hop_limit = 0; |
| 607 | 609 | ||
| 608 | sg_init_table(sg, nfrags + sglists); | 610 | sg_init_table(sg, nfrags + sglists); |
| 609 | skb_to_sgvec_nomark(skb, sg, 0, skb->len); | 611 | err = skb_to_sgvec_nomark(skb, sg, 0, skb->len); |
| 612 | if (unlikely(err < 0)) | ||
| 613 | goto out_free; | ||
| 610 | 614 | ||
| 611 | if (x->props.flags & XFRM_STATE_ESN) { | 615 | if (x->props.flags & XFRM_STATE_ESN) { |
| 612 | /* Attach seqhi sg right after packet payload */ | 616 | /* Attach seqhi sg right after packet payload */ |
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index 1fe99ba8066c..2ede4e459c4e 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c | |||
| @@ -346,9 +346,11 @@ int esp6_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info | |||
| 346 | esph = esp_output_set_esn(skb, x, ip_esp_hdr(skb), seqhi); | 346 | esph = esp_output_set_esn(skb, x, ip_esp_hdr(skb), seqhi); |
| 347 | 347 | ||
| 348 | sg_init_table(sg, esp->nfrags); | 348 | sg_init_table(sg, esp->nfrags); |
| 349 | skb_to_sgvec(skb, sg, | 349 | err = skb_to_sgvec(skb, sg, |
| 350 | (unsigned char *)esph - skb->data, | 350 | (unsigned char *)esph - skb->data, |
| 351 | assoclen + ivlen + esp->clen + alen); | 351 | assoclen + ivlen + esp->clen + alen); |
| 352 | if (unlikely(err < 0)) | ||
| 353 | goto error; | ||
| 352 | 354 | ||
| 353 | if (!esp->inplace) { | 355 | if (!esp->inplace) { |
| 354 | int allocsize; | 356 | int allocsize; |
| @@ -372,9 +374,11 @@ int esp6_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info | |||
| 372 | spin_unlock_bh(&x->lock); | 374 | spin_unlock_bh(&x->lock); |
| 373 | 375 | ||
| 374 | sg_init_table(dsg, skb_shinfo(skb)->nr_frags + 1); | 376 | sg_init_table(dsg, skb_shinfo(skb)->nr_frags + 1); |
| 375 | skb_to_sgvec(skb, dsg, | 377 | err = skb_to_sgvec(skb, dsg, |
| 376 | (unsigned char *)esph - skb->data, | 378 | (unsigned char *)esph - skb->data, |
| 377 | assoclen + ivlen + esp->clen + alen); | 379 | assoclen + ivlen + esp->clen + alen); |
| 380 | if (unlikely(err < 0)) | ||
| 381 | goto error; | ||
| 378 | } | 382 | } |
| 379 | 383 | ||
| 380 | if ((x->props.flags & XFRM_STATE_ESN)) | 384 | if ((x->props.flags & XFRM_STATE_ESN)) |
| @@ -618,7 +622,9 @@ skip_cow: | |||
| 618 | esp_input_set_header(skb, seqhi); | 622 | esp_input_set_header(skb, seqhi); |
| 619 | 623 | ||
| 620 | sg_init_table(sg, nfrags); | 624 | sg_init_table(sg, nfrags); |
| 621 | skb_to_sgvec(skb, sg, 0, skb->len); | 625 | ret = skb_to_sgvec(skb, sg, 0, skb->len); |
| 626 | if (unlikely(ret < 0)) | ||
| 627 | goto out; | ||
| 622 | 628 | ||
| 623 | skb->ip_summed = CHECKSUM_NONE; | 629 | skb->ip_summed = CHECKSUM_NONE; |
| 624 | 630 | ||