ipsec: Fix pskb_expand_head corruption in xfrm_state_check_space

We're never supposed to shrink the headroom or tailroom. In fact, shrinking the headroom is a fatal action. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Herbert Xu <herbert@gondor.apana.org.au> 2008-09-30 05:03:19 -0400
committer: David S. Miller <davem@davemloft.net> 2008-09-30 05:03:19 -0400
commit: d01dbeb6af7a0848063033f73c3d146fec7451f3 (patch)
tree: 7b912030e10097483843c0dfa006e3793e31c9ae /net/xfrm
parent: 94aca1dac6f6d21f4b07e4864baf7768cabcc6e7 (diff)
1 files changed, 8 insertions, 4 deletions
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index ac25b4c0e982..dc50f1e71f76 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -27,10 +27,14 @@ static int xfrm_state_check_space(struct xfrm_state *x, struct sk_buff *skb)
                - skb_headroom(skb);
        int ntail = dst->dev->needed_tailroom - skb_tailroom(skb);
-        if (nhead > 0 || ntail > 0)
+        if (nhead <= 0) {
-                return pskb_expand_head(skb, nhead, ntail, GFP_ATOMIC);
+                if (ntail <= 0)
+                        return 0;
-        return 0;
+                nhead = 0;
+        } else if (ntail < 0)
+                ntail = 0;
+        return pskb_expand_head(skb, nhead, ntail, GFP_ATOMIC);
 }
 static int xfrm_output_one(struct sk_buff *skb, int err)
author	Herbert Xu <herbert@gondor.apana.org.au>	2008-09-30 05:03:19 -0400
committer	David S. Miller <davem@davemloft.net>	2008-09-30 05:03:19 -0400
commit	d01dbeb6af7a0848063033f73c3d146fec7451f3 (patch)
tree	7b912030e10097483843c0dfa006e3793e31c9ae /net/xfrm
parent	94aca1dac6f6d21f4b07e4864baf7768cabcc6e7 (diff)

diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c index ac25b4c0e982..dc50f1e71f76 100644 --- a/net/xfrm/xfrm_output.c +++ b/net/xfrm/xfrm_output.c
@@ -27,10 +27,14 @@ static int xfrm_state_check_space(struct xfrm_state x, struct sk_buff skb)
27	- skb_headroom(skb);	27	- skb_headroom(skb);
28	int ntail = dst->dev->needed_tailroom - skb_tailroom(skb);	28	int ntail = dst->dev->needed_tailroom - skb_tailroom(skb);
29		29
30	if (nhead > 0 \|\| ntail > 0)	30	if (nhead <= 0) {
31	return pskb_expand_head(skb, nhead, ntail, GFP_ATOMIC);	31	if (ntail <= 0)
32		32	return 0;
33	return 0;	33	nhead = 0;
		34	} else if (ntail < 0)
		35	ntail = 0;
		36
		37	return pskb_expand_head(skb, nhead, ntail, GFP_ATOMIC);
34	}	38	}
35		39
36	static int xfrm_output_one(struct sk_buff *skb, int err)	40	static int xfrm_output_one(struct sk_buff *skb, int err)