diff options
-rw-r--r-- | net/xfrm/xfrm_input.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index 113f4442998..cb97fda1b6d 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c | |||
@@ -49,13 +49,16 @@ EXPORT_SYMBOL(secpath_dup); | |||
49 | int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq) | 49 | int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq) |
50 | { | 50 | { |
51 | int offset, offset_seq; | 51 | int offset, offset_seq; |
52 | int hlen; | ||
52 | 53 | ||
53 | switch (nexthdr) { | 54 | switch (nexthdr) { |
54 | case IPPROTO_AH: | 55 | case IPPROTO_AH: |
56 | hlen = sizeof(struct ip_auth_hdr); | ||
55 | offset = offsetof(struct ip_auth_hdr, spi); | 57 | offset = offsetof(struct ip_auth_hdr, spi); |
56 | offset_seq = offsetof(struct ip_auth_hdr, seq_no); | 58 | offset_seq = offsetof(struct ip_auth_hdr, seq_no); |
57 | break; | 59 | break; |
58 | case IPPROTO_ESP: | 60 | case IPPROTO_ESP: |
61 | hlen = sizeof(struct ip_esp_hdr); | ||
59 | offset = offsetof(struct ip_esp_hdr, spi); | 62 | offset = offsetof(struct ip_esp_hdr, spi); |
60 | offset_seq = offsetof(struct ip_esp_hdr, seq_no); | 63 | offset_seq = offsetof(struct ip_esp_hdr, seq_no); |
61 | break; | 64 | break; |
@@ -69,7 +72,7 @@ int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq) | |||
69 | return 1; | 72 | return 1; |
70 | } | 73 | } |
71 | 74 | ||
72 | if (!pskb_may_pull(skb, 16)) | 75 | if (!pskb_may_pull(skb, hlen)) |
73 | return -EINVAL; | 76 | return -EINVAL; |
74 | 77 | ||
75 | *spi = *(__be32*)(skb_transport_header(skb) + offset); | 78 | *spi = *(__be32*)(skb_transport_header(skb) + offset); |