[IPSEC]: Do not let packets pass when ICMP flag is off

This fixes a logical error in ICMP policy checks which lets
packets through if the state ICMP flag is off.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

2 files changed, 10 insertions, 4 deletions

diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index c41f3cc4fba8..ce5b4be559aa 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -977,10 +977,13 @@ int icmp_rcv(struct sk_buff *skb)
         struct icmphdr *icmph;
         struct rtable *rt = (struct rtable *)skb->dst;
 
-        if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb) && skb->sp &&
-            skb->sp->xvec[skb->sp->len - 1]->props.flags & XFRM_STATE_ICMP) {
+        if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) {
                 int nh;
 
+                if (!(skb->sp && skb->sp->xvec[skb->sp->len - 1]->props.flags &
+                                 XFRM_STATE_ICMP))
+                        goto drop;
+
                 if (!pskb_may_pull(skb, sizeof(*icmph) + sizeof(struct iphdr)))
                         goto drop;
 
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 1659d2fb01fe..c3bbd8687307 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -644,10 +644,13 @@ static int icmpv6_rcv(struct sk_buff *skb)
         struct icmp6hdr *hdr;
         int type;
 
-        if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb) && skb->sp &&
-            skb->sp->xvec[skb->sp->len - 1]->props.flags & XFRM_STATE_ICMP) {
+        if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
                 int nh;
 
+                if (!(skb->sp && skb->sp->xvec[skb->sp->len - 1]->props.flags &
+                                 XFRM_STATE_ICMP))
+                        goto drop_no_count;
+
                 if (!pskb_may_pull(skb, sizeof(*hdr) + sizeof(*orig_hdr)))
                         goto drop_no_count;