Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec

Steffen Klassert says:

====================
pull request (net): ipsec 2018-05-31

1) Avoid possible overflow of the offset variable
   in  _decode_session6(), this fixes an infinite
   lookp there. From Eric Dumazet.

2) We may use an error pointer in the error path of
   xfrm_bundle_create(). Fix this by returning this
   pointer directly to the caller.

Please pull or let me know if there are problems.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

2 files changed, 3 insertions, 4 deletions

diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index 416fe67271a9..86dba282a147 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -126,7 +126,7 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
         struct flowi6 *fl6 = &fl->u.ip6;
         int onlyproto = 0;
         const struct ipv6hdr *hdr = ipv6_hdr(skb);
-        u16 offset = sizeof(*hdr);
+        u32 offset = sizeof(*hdr);
         struct ipv6_opt_hdr *exthdr;
         const unsigned char *nh = skb_network_header(skb);
         u16 nhoff = IP6CB(skb)->nhoff;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 40b54cc64243..5f48251c1319 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1658,7 +1658,6 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
                 trailer_len -= xdst_prev->u.dst.xfrm->props.trailer_len;
         }
 
-out:
         return &xdst0->u.dst;
 
 put_states:
@@ -1667,8 +1666,8 @@ put_states:
 free_dst:
         if (xdst0)
                 dst_release_immediate(&xdst0->u.dst);
-        xdst0 = ERR_PTR(err);
-        goto out;
+
+        return ERR_PTR(err);
 }
 
 static int xfrm_expand_policies(const struct flowi *fl, u16 family,