diff options
author | Steffen Klassert <steffen.klassert@secunet.com> | 2013-09-09 03:39:01 -0400 |
---|---|---|
committer | Steffen Klassert <steffen.klassert@secunet.com> | 2013-09-16 03:39:37 -0400 |
commit | 4479ff76c43607b680f9349128d8493228b49dce (patch) | |
tree | 5144879a8baaa977847276d0c4758cd8f2735bce /net/xfrm | |
parent | 73a695f8572e4c46a2aecdbb63f26f36a43e6873 (diff) |
xfrm: Fix replay size checking on async events
We pass the wrong netlink attribute to xfrm_replay_verify_len().
It should be XFRMA_REPLAY_ESN_VAL and not XFRMA_REPLAY_VAL as
we currently doing. This causes memory corruptions if the
replay esn attribute has incorrect length. Fix this by passing
the right attribute to xfrm_replay_verify_len().
Reported-by: Michael Rossberg <michael.rossberg@tu-ilmenau.de>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'net/xfrm')
-rw-r--r-- | net/xfrm/xfrm_user.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 3f565e495ac6..4b26ceedff26 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c | |||
@@ -1856,7 +1856,7 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
1856 | if (x->km.state != XFRM_STATE_VALID) | 1856 | if (x->km.state != XFRM_STATE_VALID) |
1857 | goto out; | 1857 | goto out; |
1858 | 1858 | ||
1859 | err = xfrm_replay_verify_len(x->replay_esn, rp); | 1859 | err = xfrm_replay_verify_len(x->replay_esn, re); |
1860 | if (err) | 1860 | if (err) |
1861 | goto out; | 1861 | goto out; |
1862 | 1862 | ||