diff options
| -rw-r--r-- | net/xfrm/xfrm_input.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index 113f44429982..cb97fda1b6df 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c | |||
| @@ -49,13 +49,16 @@ EXPORT_SYMBOL(secpath_dup); | |||
| 49 | int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq) | 49 | int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq) |
| 50 | { | 50 | { |
| 51 | int offset, offset_seq; | 51 | int offset, offset_seq; |
| 52 | int hlen; | ||
| 52 | 53 | ||
| 53 | switch (nexthdr) { | 54 | switch (nexthdr) { |
| 54 | case IPPROTO_AH: | 55 | case IPPROTO_AH: |
| 56 | hlen = sizeof(struct ip_auth_hdr); | ||
| 55 | offset = offsetof(struct ip_auth_hdr, spi); | 57 | offset = offsetof(struct ip_auth_hdr, spi); |
| 56 | offset_seq = offsetof(struct ip_auth_hdr, seq_no); | 58 | offset_seq = offsetof(struct ip_auth_hdr, seq_no); |
| 57 | break; | 59 | break; |
| 58 | case IPPROTO_ESP: | 60 | case IPPROTO_ESP: |
| 61 | hlen = sizeof(struct ip_esp_hdr); | ||
| 59 | offset = offsetof(struct ip_esp_hdr, spi); | 62 | offset = offsetof(struct ip_esp_hdr, spi); |
| 60 | offset_seq = offsetof(struct ip_esp_hdr, seq_no); | 63 | offset_seq = offsetof(struct ip_esp_hdr, seq_no); |
| 61 | break; | 64 | break; |
| @@ -69,7 +72,7 @@ int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq) | |||
| 69 | return 1; | 72 | return 1; |
| 70 | } | 73 | } |
| 71 | 74 | ||
| 72 | if (!pskb_may_pull(skb, 16)) | 75 | if (!pskb_may_pull(skb, hlen)) |
| 73 | return -EINVAL; | 76 | return -EINVAL; |
| 74 | 77 | ||
| 75 | *spi = *(__be32*)(skb_transport_header(skb) + offset); | 78 | *spi = *(__be32*)(skb_transport_header(skb) + offset); |