diff options
-rw-r--r-- | net/ipv4/ah4.c | 4 | ||||
-rw-r--r-- | net/ipv4/esp4.c | 1 | ||||
-rw-r--r-- | net/ipv6/ah6.c | 4 | ||||
-rw-r--r-- | net/ipv6/esp6.c | 1 | ||||
-rw-r--r-- | net/xfrm/xfrm_input.c | 5 |
5 files changed, 6 insertions, 9 deletions
diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c index ec8de0aa20ec..d76803a3dcae 100644 --- a/net/ipv4/ah4.c +++ b/net/ipv4/ah4.c | |||
@@ -179,10 +179,8 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb) | |||
179 | err = ah_mac_digest(ahp, skb, ah->auth_data); | 179 | err = ah_mac_digest(ahp, skb, ah->auth_data); |
180 | if (err) | 180 | if (err) |
181 | goto unlock; | 181 | goto unlock; |
182 | if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) { | 182 | if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) |
183 | xfrm_audit_state_icvfail(x, skb, IPPROTO_AH); | ||
184 | err = -EBADMSG; | 183 | err = -EBADMSG; |
185 | } | ||
186 | } | 184 | } |
187 | unlock: | 185 | unlock: |
188 | spin_unlock(&x->lock); | 186 | spin_unlock(&x->lock); |
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index b334c7619c08..28ea5c77ca23 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c | |||
@@ -191,7 +191,6 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb) | |||
191 | BUG(); | 191 | BUG(); |
192 | 192 | ||
193 | if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) { | 193 | if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) { |
194 | xfrm_audit_state_icvfail(x, skb, IPPROTO_ESP); | ||
195 | err = -EBADMSG; | 194 | err = -EBADMSG; |
196 | goto unlock; | 195 | goto unlock; |
197 | } | 196 | } |
diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c index 2d32772c87c3..fb0d07a15e93 100644 --- a/net/ipv6/ah6.c +++ b/net/ipv6/ah6.c | |||
@@ -380,10 +380,8 @@ static int ah6_input(struct xfrm_state *x, struct sk_buff *skb) | |||
380 | err = ah_mac_digest(ahp, skb, ah->auth_data); | 380 | err = ah_mac_digest(ahp, skb, ah->auth_data); |
381 | if (err) | 381 | if (err) |
382 | goto unlock; | 382 | goto unlock; |
383 | if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) { | 383 | if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) |
384 | xfrm_audit_state_icvfail(x, skb, IPPROTO_AH); | ||
385 | err = -EBADMSG; | 384 | err = -EBADMSG; |
386 | } | ||
387 | } | 385 | } |
388 | unlock: | 386 | unlock: |
389 | spin_unlock(&x->lock); | 387 | spin_unlock(&x->lock); |
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index e10f10bfe2c9..5bd5292ad9fa 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c | |||
@@ -186,7 +186,6 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb) | |||
186 | BUG(); | 186 | BUG(); |
187 | 187 | ||
188 | if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) { | 188 | if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) { |
189 | xfrm_audit_state_icvfail(x, skb, IPPROTO_ESP); | ||
190 | ret = -EBADMSG; | 189 | ret = -EBADMSG; |
191 | goto unlock; | 190 | goto unlock; |
192 | } | 191 | } |
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index 1b250f33ad5b..039e7019c48a 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c | |||
@@ -186,8 +186,11 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) | |||
186 | resume: | 186 | resume: |
187 | spin_lock(&x->lock); | 187 | spin_lock(&x->lock); |
188 | if (nexthdr <= 0) { | 188 | if (nexthdr <= 0) { |
189 | if (nexthdr == -EBADMSG) | 189 | if (nexthdr == -EBADMSG) { |
190 | xfrm_audit_state_icvfail(x, skb, | ||
191 | x->type->proto); | ||
190 | x->stats.integrity_failed++; | 192 | x->stats.integrity_failed++; |
193 | } | ||
191 | XFRM_INC_STATS(LINUX_MIB_XFRMINSTATEPROTOERROR); | 194 | XFRM_INC_STATS(LINUX_MIB_XFRMINSTATEPROTOERROR); |
192 | goto drop_unlock; | 195 | goto drop_unlock; |
193 | } | 196 | } |