aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv4/esp4.c
diff options
context:
space:
mode:
authorDavid S. Miller <davem@sunset.davemloft.net>2007-10-31 00:29:29 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2007-10-31 00:29:29 -0400
commit51c739d1f484b2562040a3e496dc8e1670d4e279 (patch)
tree87b12c2330f2951deb1a435367907d15a5d938c3 /net/ipv4/esp4.c
parent07afa040252eb41f91f46f8e538b434a63122999 (diff)
[NET]: Fix incorrect sg_mark_end() calls.
This fixes scatterlist corruptions added by commit 68e3f5dd4db62619fdbe520d36c9ebf62e672256 [CRYPTO] users: Fix up scatterlist conversion errors The issue is that the code calls sg_mark_end() which clobbers the sg_page() pointer of the final scatterlist entry. The first part fo the fix makes skb_to_sgvec() do __sg_mark_end(). After considering all skb_to_sgvec() call sites the most correct solution is to call __sg_mark_end() in skb_to_sgvec() since that is what all of the callers would end up doing anyways. I suspect this might have fixed some problems in virtio_net which is the sole non-crypto user of skb_to_sgvec(). Other similar sg_mark_end() cases were converted over to __sg_mark_end() as well. Arguably sg_mark_end() is a poorly named function because it doesn't just "mark", it clears out the page pointer as a side effect, which is what led to these bugs in the first place. The one remaining plain sg_mark_end() call is in scsi_alloc_sgtable() and arguably it could be converted to __sg_mark_end() if only so that we can delete this confusing interface from linux/scatterlist.h Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/esp4.c')
-rw-r--r--net/ipv4/esp4.c12
1 files changed, 7 insertions, 5 deletions
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index cad4278025ad..c31bccb9b526 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -111,9 +111,10 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
111 goto unlock; 111 goto unlock;
112 } 112 }
113 sg_init_table(sg, nfrags); 113 sg_init_table(sg, nfrags);
114 sg_mark_end(sg, skb_to_sgvec(skb, sg, esph->enc_data + 114 skb_to_sgvec(skb, sg,
115 esp->conf.ivlen - 115 esph->enc_data +
116 skb->data, clen)); 116 esp->conf.ivlen -
117 skb->data, clen);
117 err = crypto_blkcipher_encrypt(&desc, sg, sg, clen); 118 err = crypto_blkcipher_encrypt(&desc, sg, sg, clen);
118 if (unlikely(sg != &esp->sgbuf[0])) 119 if (unlikely(sg != &esp->sgbuf[0]))
119 kfree(sg); 120 kfree(sg);
@@ -205,8 +206,9 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
205 goto out; 206 goto out;
206 } 207 }
207 sg_init_table(sg, nfrags); 208 sg_init_table(sg, nfrags);
208 sg_mark_end(sg, skb_to_sgvec(skb, sg, sizeof(*esph) + esp->conf.ivlen, 209 skb_to_sgvec(skb, sg,
209 elen)); 210 sizeof(*esph) + esp->conf.ivlen,
211 elen);
210 err = crypto_blkcipher_decrypt(&desc, sg, sg, elen); 212 err = crypto_blkcipher_decrypt(&desc, sg, sg, elen);
211 if (unlikely(sg != &esp->sgbuf[0])) 213 if (unlikely(sg != &esp->sgbuf[0]))
212 kfree(sg); 214 kfree(sg);