aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--net/ipv4/ah4.c4
-rw-r--r--net/ipv4/esp4.c1
-rw-r--r--net/ipv6/ah6.c4
-rw-r--r--net/ipv6/esp6.c1
-rw-r--r--net/xfrm/xfrm_input.c5
5 files changed, 6 insertions, 9 deletions
diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c
index ec8de0aa20ec..d76803a3dcae 100644
--- a/net/ipv4/ah4.c
+++ b/net/ipv4/ah4.c
@@ -179,10 +179,8 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb)
179 err = ah_mac_digest(ahp, skb, ah->auth_data); 179 err = ah_mac_digest(ahp, skb, ah->auth_data);
180 if (err) 180 if (err)
181 goto unlock; 181 goto unlock;
182 if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) { 182 if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len))
183 xfrm_audit_state_icvfail(x, skb, IPPROTO_AH);
184 err = -EBADMSG; 183 err = -EBADMSG;
185 }
186 } 184 }
187unlock: 185unlock:
188 spin_unlock(&x->lock); 186 spin_unlock(&x->lock);
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index b334c7619c08..28ea5c77ca23 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -191,7 +191,6 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
191 BUG(); 191 BUG();
192 192
193 if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) { 193 if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) {
194 xfrm_audit_state_icvfail(x, skb, IPPROTO_ESP);
195 err = -EBADMSG; 194 err = -EBADMSG;
196 goto unlock; 195 goto unlock;
197 } 196 }
diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c
index 2d32772c87c3..fb0d07a15e93 100644
--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@@ -380,10 +380,8 @@ static int ah6_input(struct xfrm_state *x, struct sk_buff *skb)
380 err = ah_mac_digest(ahp, skb, ah->auth_data); 380 err = ah_mac_digest(ahp, skb, ah->auth_data);
381 if (err) 381 if (err)
382 goto unlock; 382 goto unlock;
383 if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) { 383 if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len))
384 xfrm_audit_state_icvfail(x, skb, IPPROTO_AH);
385 err = -EBADMSG; 384 err = -EBADMSG;
386 }
387 } 385 }
388unlock: 386unlock:
389 spin_unlock(&x->lock); 387 spin_unlock(&x->lock);
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index e10f10bfe2c9..5bd5292ad9fa 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -186,7 +186,6 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
186 BUG(); 186 BUG();
187 187
188 if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) { 188 if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) {
189 xfrm_audit_state_icvfail(x, skb, IPPROTO_ESP);
190 ret = -EBADMSG; 189 ret = -EBADMSG;
191 goto unlock; 190 goto unlock;
192 } 191 }
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 1b250f33ad5b..039e7019c48a 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -186,8 +186,11 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
186resume: 186resume:
187 spin_lock(&x->lock); 187 spin_lock(&x->lock);
188 if (nexthdr <= 0) { 188 if (nexthdr <= 0) {
189 if (nexthdr == -EBADMSG) 189 if (nexthdr == -EBADMSG) {
190 xfrm_audit_state_icvfail(x, skb,
191 x->type->proto);
190 x->stats.integrity_failed++; 192 x->stats.integrity_failed++;
193 }
191 XFRM_INC_STATS(LINUX_MIB_XFRMINSTATEPROTOERROR); 194 XFRM_INC_STATS(LINUX_MIB_XFRMINSTATEPROTOERROR);
192 goto drop_unlock; 195 goto drop_unlock;
193 } 196 }