diff options
| -rw-r--r-- | net/xfrm/xfrm_user.c | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index fc152d28753..ccc4c0c8ef0 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c | |||
| @@ -360,6 +360,23 @@ static int attach_aead(struct xfrm_algo_aead **algpp, u8 *props, | |||
| 360 | return 0; | 360 | return 0; |
| 361 | } | 361 | } |
| 362 | 362 | ||
| 363 | static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_esn, | ||
| 364 | struct nlattr *rp) | ||
| 365 | { | ||
| 366 | struct xfrm_replay_state_esn *up; | ||
| 367 | |||
| 368 | if (!replay_esn || !rp) | ||
| 369 | return 0; | ||
| 370 | |||
| 371 | up = nla_data(rp); | ||
| 372 | |||
| 373 | if (xfrm_replay_state_esn_len(replay_esn) != | ||
| 374 | xfrm_replay_state_esn_len(up)) | ||
| 375 | return -EINVAL; | ||
| 376 | |||
| 377 | return 0; | ||
| 378 | } | ||
| 379 | |||
| 363 | static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn, | 380 | static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn, |
| 364 | struct xfrm_replay_state_esn **preplay_esn, | 381 | struct xfrm_replay_state_esn **preplay_esn, |
| 365 | struct nlattr *rta) | 382 | struct nlattr *rta) |
| @@ -1766,6 +1783,10 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 1766 | if (x->km.state != XFRM_STATE_VALID) | 1783 | if (x->km.state != XFRM_STATE_VALID) |
| 1767 | goto out; | 1784 | goto out; |
| 1768 | 1785 | ||
| 1786 | err = xfrm_replay_verify_len(x->replay_esn, rp); | ||
| 1787 | if (err) | ||
| 1788 | goto out; | ||
| 1789 | |||
| 1769 | spin_lock_bh(&x->lock); | 1790 | spin_lock_bh(&x->lock); |
| 1770 | xfrm_update_ae_params(x, attrs); | 1791 | xfrm_update_ae_params(x, attrs); |
| 1771 | spin_unlock_bh(&x->lock); | 1792 | spin_unlock_bh(&x->lock); |