aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv6/ipcomp6.c
diff options
context:
space:
mode:
authorHerbert Xu <herbert@gondor.apana.org.au>2006-03-26 20:37:54 -0500
committerDavid S. Miller <davem@davemloft.net>2006-03-26 20:37:54 -0500
commit6abaaaae6d5ed52422c8caf65f3cdbb95579bb58 (patch)
treed35a7ca08d9ced7c7204197d2dd532bd3c8971fe /net/ipv6/ipcomp6.c
parent64bc0430ee78c03c5c4ce549e217bb74bff7ea5d (diff)
[IPSEC]: Fix tunnel error handling in ipcomp6
The error handling in ipcomp6_tunnel_create is broken in two ways: 1) If we fail to allocate an SPI (this should never happen in practice since there are plenty of 32-bit SPI values for us to use), we will still go ahead and create the SA. 2) When xfrm_init_state fails, we first of all may trigger the BUG_TRAP in __xfrm_state_destroy because we didn't set the state to DEAD. More importantly we end up returning the freed state as if we succeeded! This patch fixes them both. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6/ipcomp6.c')
-rw-r--r--net/ipv6/ipcomp6.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/net/ipv6/ipcomp6.c b/net/ipv6/ipcomp6.c
index 028b636687ec..d4cfec3f414e 100644
--- a/net/ipv6/ipcomp6.c
+++ b/net/ipv6/ipcomp6.c
@@ -228,6 +228,9 @@ static struct xfrm_state *ipcomp6_tunnel_create(struct xfrm_state *x)
228 228
229 t->id.proto = IPPROTO_IPV6; 229 t->id.proto = IPPROTO_IPV6;
230 t->id.spi = xfrm6_tunnel_alloc_spi((xfrm_address_t *)&x->props.saddr); 230 t->id.spi = xfrm6_tunnel_alloc_spi((xfrm_address_t *)&x->props.saddr);
231 if (!t->id.spi)
232 goto error;
233
231 memcpy(t->id.daddr.a6, x->id.daddr.a6, sizeof(struct in6_addr)); 234 memcpy(t->id.daddr.a6, x->id.daddr.a6, sizeof(struct in6_addr));
232 memcpy(&t->sel, &x->sel, sizeof(t->sel)); 235 memcpy(&t->sel, &x->sel, sizeof(t->sel));
233 t->props.family = AF_INET6; 236 t->props.family = AF_INET6;
@@ -243,7 +246,9 @@ out:
243 return t; 246 return t;
244 247
245error: 248error:
249 t->km.state = XFRM_STATE_DEAD;
246 xfrm_state_put(t); 250 xfrm_state_put(t);
251 t = NULL;
247 goto out; 252 goto out;
248} 253}
249 254