1 files changed, 30 insertions, 16 deletions
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 7db66f10e00d..5bd5292ad9fa 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -165,31 +165,32 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
                goto out;
        }
+        if ((nfrags = skb_cow_data(skb, 0, &trailer)) < 0) {
+                ret = -EINVAL;
+                goto out;
+        }
+        skb->ip_summed = CHECKSUM_NONE;
+        spin_lock(&x->lock);
        /* If integrity check is required, do this. */
        if (esp->auth.icv_full_len) {
                u8 sum[alen];
                ret = esp_mac_digest(esp, skb, 0, skb->len - alen);
                if (ret)
-                        goto out;
+                        goto unlock;
                if (skb_copy_bits(skb, skb->len - alen, sum, alen))
                        BUG();
                if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) {
-                        x->stats.integrity_failed++;
+                        ret = -EBADMSG;
-                        ret = -EINVAL;
+                        goto unlock;
-                        goto out;
                }
        }
-        if ((nfrags = skb_cow_data(skb, 0, &trailer)) < 0) {
-                ret = -EINVAL;
-                goto out;
-        }
-        skb->ip_summed = CHECKSUM_NONE;
        esph = (struct ip_esp_hdr *)skb->data;
        iph = ipv6_hdr(skb);
@@ -198,15 +199,13 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
                crypto_blkcipher_set_iv(tfm, esph->enc_data, esp->conf.ivlen);
        {
-                u8 nexthdr[2];
                struct scatterlist *sg = &esp->sgbuf[0];
-                u8 padlen;
                if (unlikely(nfrags > ESP_NUM_FAST_SG)) {
                        sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC);
                        if (!sg) {
                                ret = -ENOMEM;
-                                goto out;
+                                goto unlock;
                        }
                }
                sg_init_table(sg, nfrags);
@@ -216,8 +215,17 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
                ret = crypto_blkcipher_decrypt(&desc, sg, sg, elen);
                if (unlikely(sg != &esp->sgbuf[0]))
                        kfree(sg);
-                if (unlikely(ret))
+        }
-                        goto out;
+unlock:
+        spin_unlock(&x->lock);
+        if (unlikely(ret))
+                goto out;
+        {
+                u8 nexthdr[2];
+                u8 padlen;
                if (skb_copy_bits(skb, skb->len-alen-2, nexthdr, 2))
                        BUG();
@@ -230,6 +238,12 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
                }
                /* ... check padding bits here. Silly. :-) */
+                /* RFC4303: Drop dummy packets without any error */
+                if (nexthdr[1] == IPPROTO_NONE) {
+                        ret = -EINVAL;
+                        goto out;
+                }
                pskb_trim(skb, skb->len - alen - padlen - 2);
                ret = nexthdr[1];
        }

diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index 7db66f10e00d..5bd5292ad9fa 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c
@@ -165,31 +165,32 @@ static int esp6_input(struct xfrm_state x, struct sk_buff skb)
165	goto out;	165	goto out;
166	}	166	}
167		167
		168	if ((nfrags = skb_cow_data(skb, 0, &trailer)) < 0) {
		169	ret = -EINVAL;
		170	goto out;
		171	}
		172
		173	skb->ip_summed = CHECKSUM_NONE;
		174
		175	spin_lock(&x->lock);
		176
168	/* If integrity check is required, do this. */	177	/* If integrity check is required, do this. */
169	if (esp->auth.icv_full_len) {	178	if (esp->auth.icv_full_len) {
170	u8 sum[alen];	179	u8 sum[alen];
171		180
172	ret = esp_mac_digest(esp, skb, 0, skb->len - alen);	181	ret = esp_mac_digest(esp, skb, 0, skb->len - alen);
173	if (ret)	182	if (ret)
174	goto out;	183	goto unlock;
175		184
176	if (skb_copy_bits(skb, skb->len - alen, sum, alen))	185	if (skb_copy_bits(skb, skb->len - alen, sum, alen))
177	BUG();	186	BUG();
178		187
179	if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) {	188	if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) {
180	x->stats.integrity_failed++;	189	ret = -EBADMSG;
181	ret = -EINVAL;	190	goto unlock;
182	goto out;
183	}	191	}
184	}	192	}
185		193
186	if ((nfrags = skb_cow_data(skb, 0, &trailer)) < 0) {
187	ret = -EINVAL;
188	goto out;
189	}
190
191	skb->ip_summed = CHECKSUM_NONE;
192
193	esph = (struct ip_esp_hdr *)skb->data;	194	esph = (struct ip_esp_hdr *)skb->data;
194	iph = ipv6_hdr(skb);	195	iph = ipv6_hdr(skb);
195		196
@@ -198,15 +199,13 @@ static int esp6_input(struct xfrm_state x, struct sk_buff skb)
198	crypto_blkcipher_set_iv(tfm, esph->enc_data, esp->conf.ivlen);	199	crypto_blkcipher_set_iv(tfm, esph->enc_data, esp->conf.ivlen);
199		200
200	{	201	{
201	u8 nexthdr[2];
202	struct scatterlist *sg = &esp->sgbuf[0];	202	struct scatterlist *sg = &esp->sgbuf[0];
203	u8 padlen;
204		203
205	if (unlikely(nfrags > ESP_NUM_FAST_SG)) {	204	if (unlikely(nfrags > ESP_NUM_FAST_SG)) {
206	sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC);	205	sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC);
207	if (!sg) {	206	if (!sg) {
208	ret = -ENOMEM;	207	ret = -ENOMEM;
209	goto out;	208	goto unlock;
210	}	209	}
211	}	210	}
212	sg_init_table(sg, nfrags);	211	sg_init_table(sg, nfrags);
@@ -216,8 +215,17 @@ static int esp6_input(struct xfrm_state x, struct sk_buff skb)
216	ret = crypto_blkcipher_decrypt(&desc, sg, sg, elen);	215	ret = crypto_blkcipher_decrypt(&desc, sg, sg, elen);
217	if (unlikely(sg != &esp->sgbuf[0]))	216	if (unlikely(sg != &esp->sgbuf[0]))
218	kfree(sg);	217	kfree(sg);
219	if (unlikely(ret))	218	}
220	goto out;	219
		220	unlock:
		221	spin_unlock(&x->lock);
		222
		223	if (unlikely(ret))
		224	goto out;
		225
		226	{
		227	u8 nexthdr[2];
		228	u8 padlen;
221		229
222	if (skb_copy_bits(skb, skb->len-alen-2, nexthdr, 2))	230	if (skb_copy_bits(skb, skb->len-alen-2, nexthdr, 2))
223	BUG();	231	BUG();
@@ -230,6 +238,12 @@ static int esp6_input(struct xfrm_state x, struct sk_buff skb)
230	}	238	}
231	/* ... check padding bits here. Silly. :-) */	239	/* ... check padding bits here. Silly. :-) */
232		240
		241	/* RFC4303: Drop dummy packets without any error */
		242	if (nexthdr[1] == IPPROTO_NONE) {
		243	ret = -EINVAL;
		244	goto out;
		245	}
		246
233	pskb_trim(skb, skb->len - alen - padlen - 2);	247	pskb_trim(skb, skb->len - alen - padlen - 2);
234	ret = nexthdr[1];	248	ret = nexthdr[1];
235	}	249	}