3 files changed, 16 insertions, 17 deletions
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 40d9a1935ab5..8bfbe9970793 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -248,7 +248,7 @@ static u32 esp6_get_max_size(struct xfrm_state *x, int mtu)
        if (esp->conf.padlen)
                mtu = ALIGN(mtu, esp->conf.padlen);
-        return mtu + x->props.header_len + esp->auth.icv_full_len;
+        return mtu + x->props.header_len + esp->auth.icv_trunc_len;
 }
 static void esp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index c0f1da5497a9..a7e03cfacd06 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -68,8 +68,8 @@ static int icmpv6_invert_tuple(struct nf_conntrack_tuple *tuple,
                [ICMPV6_NI_REPLY - 128]         = ICMPV6_NI_REPLY +1
        };
-        __u8 type = orig->dst.u.icmp.type - 128;
+        int type = orig->dst.u.icmp.type - 128;
-        if (type >= sizeof(invmap) || !invmap[type])
+        if (type < 0 || type >= sizeof(invmap) || !invmap[type])
                return 0;
        tuple->src.u.icmp.id   = orig->src.u.icmp.id;
@@ -129,12 +129,12 @@ static int icmpv6_new(struct nf_conn *conntrack,
                [ICMPV6_ECHO_REQUEST - 128] = 1,
                [ICMPV6_NI_QUERY - 128] = 1
        };
+        int type = conntrack->tuplehash[0].tuple.dst.u.icmp.type - 128;
-        if (conntrack->tuplehash[0].tuple.dst.u.icmp.type - 128 >= sizeof(valid_new)
+        if (type < 0 || type >= sizeof(valid_new) || !valid_new[type]) {
-            || !valid_new[conntrack->tuplehash[0].tuple.dst.u.icmp.type - 128]) {
                /* Can't create a new ICMPv6 `conn' with this. */
-                DEBUGP("icmp: can't create new conn with type %u\n",
+                DEBUGP("icmpv6: can't create new conn with type %u\n",
-                       conntrack->tuplehash[0].tuple.dst.u.icmp.type);
+                       type + 128);
                NF_CT_DUMP_TUPLE(&conntrack->tuplehash[0].tuple);
                return 0;
        }
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 62c0e5bd931c..8827389abaf7 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -992,13 +992,12 @@ static void tcp_v6_send_reset(struct sk_buff *skb)
        /* sk = NULL, but it is safe for now. RST socket required. */
        if (!ip6_dst_lookup(NULL, &buff->dst, &fl)) {
-                if ((xfrm_lookup(&buff->dst, &fl, NULL, 0)) < 0)
+                if (xfrm_lookup(&buff->dst, &fl, NULL, 0) >= 0) {
+                        ip6_xmit(NULL, buff, &fl, NULL, 0);
+                        TCP_INC_STATS_BH(TCP_MIB_OUTSEGS);
+                        TCP_INC_STATS_BH(TCP_MIB_OUTRSTS);
                        return;
+                }
-                ip6_xmit(NULL, buff, &fl, NULL, 0);
-                TCP_INC_STATS_BH(TCP_MIB_OUTSEGS);
-                TCP_INC_STATS_BH(TCP_MIB_OUTRSTS);
-                return;
        }
        kfree_skb(buff);
@@ -1057,11 +1056,11 @@ static void tcp_v6_send_ack(struct sk_buff *skb, u32 seq, u32 ack, u32 win, u32
        fl.fl_ip_sport = t1->source;
        if (!ip6_dst_lookup(NULL, &buff->dst, &fl)) {
-                if ((xfrm_lookup(&buff->dst, &fl, NULL, 0)) < 0)
+                if (xfrm_lookup(&buff->dst, &fl, NULL, 0) >= 0) {
+                        ip6_xmit(NULL, buff, &fl, NULL, 0);
+                        TCP_INC_STATS_BH(TCP_MIB_OUTSEGS);
                        return;
-                ip6_xmit(NULL, buff, &fl, NULL, 0);
+                }
-                TCP_INC_STATS_BH(TCP_MIB_OUTSEGS);
-                return;
        }
        kfree_skb(buff);

diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index 40d9a1935ab5..8bfbe9970793 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c
@@ -248,7 +248,7 @@ static u32 esp6_get_max_size(struct xfrm_state *x, int mtu)
248	if (esp->conf.padlen)	248	if (esp->conf.padlen)
249	mtu = ALIGN(mtu, esp->conf.padlen);	249	mtu = ALIGN(mtu, esp->conf.padlen);
250		250
251	return mtu + x->props.header_len + esp->auth.icv_full_len;	251	return mtu + x->props.header_len + esp->auth.icv_trunc_len;
252	}	252	}
253		253
254	static void esp6_err(struct sk_buff skb, struct inet6_skb_parm opt,	254	static void esp6_err(struct sk_buff skb, struct inet6_skb_parm opt,


diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c index c0f1da5497a9..a7e03cfacd06 100644 --- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c +++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -68,8 +68,8 @@ static int icmpv6_invert_tuple(struct nf_conntrack_tuple *tuple,
68	[ICMPV6_NI_REPLY - 128] = ICMPV6_NI_REPLY +1	68	[ICMPV6_NI_REPLY - 128] = ICMPV6_NI_REPLY +1
69	};	69	};
70		70
71	__u8 type = orig->dst.u.icmp.type - 128;	71	int type = orig->dst.u.icmp.type - 128;
72	if (type >= sizeof(invmap) \|\| !invmap[type])	72	if (type < 0 \|\| type >= sizeof(invmap) \|\| !invmap[type])
73	return 0;	73	return 0;
74		74
75	tuple->src.u.icmp.id = orig->src.u.icmp.id;	75	tuple->src.u.icmp.id = orig->src.u.icmp.id;
@@ -129,12 +129,12 @@ static int icmpv6_new(struct nf_conn *conntrack,
129	[ICMPV6_ECHO_REQUEST - 128] = 1,	129	[ICMPV6_ECHO_REQUEST - 128] = 1,
130	[ICMPV6_NI_QUERY - 128] = 1	130	[ICMPV6_NI_QUERY - 128] = 1
131	};	131	};
		132	int type = conntrack->tuplehash[0].tuple.dst.u.icmp.type - 128;
132		133
133	if (conntrack->tuplehash[0].tuple.dst.u.icmp.type - 128 >= sizeof(valid_new)	134	if (type < 0 \|\| type >= sizeof(valid_new) \|\| !valid_new[type]) {
134	\|\| !valid_new[conntrack->tuplehash[0].tuple.dst.u.icmp.type - 128]) {
135	/* Can't create a new ICMPv6 `conn' with this. */	135	/* Can't create a new ICMPv6 `conn' with this. */
136	DEBUGP("icmp: can't create new conn with type %u\n",	136	DEBUGP("icmpv6: can't create new conn with type %u\n",
137	conntrack->tuplehash[0].tuple.dst.u.icmp.type);	137	type + 128);
138	NF_CT_DUMP_TUPLE(&conntrack->tuplehash[0].tuple);	138	NF_CT_DUMP_TUPLE(&conntrack->tuplehash[0].tuple);
139	return 0;	139	return 0;
140	}	140	}


diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 62c0e5bd931c..8827389abaf7 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c
@@ -992,13 +992,12 @@ static void tcp_v6_send_reset(struct sk_buff *skb)
992	/* sk = NULL, but it is safe for now. RST socket required. */	992	/* sk = NULL, but it is safe for now. RST socket required. */
993	if (!ip6_dst_lookup(NULL, &buff->dst, &fl)) {	993	if (!ip6_dst_lookup(NULL, &buff->dst, &fl)) {
994		994
995	if ((xfrm_lookup(&buff->dst, &fl, NULL, 0)) < 0)	995	if (xfrm_lookup(&buff->dst, &fl, NULL, 0) >= 0) {
		996	ip6_xmit(NULL, buff, &fl, NULL, 0);
		997	TCP_INC_STATS_BH(TCP_MIB_OUTSEGS);
		998	TCP_INC_STATS_BH(TCP_MIB_OUTRSTS);
996	return;	999	return;
997		1000	}
998	ip6_xmit(NULL, buff, &fl, NULL, 0);
999	TCP_INC_STATS_BH(TCP_MIB_OUTSEGS);
1000	TCP_INC_STATS_BH(TCP_MIB_OUTRSTS);
1001	return;
1002	}	1001	}
1003		1002
1004	kfree_skb(buff);	1003	kfree_skb(buff);
@@ -1057,11 +1056,11 @@ static void tcp_v6_send_ack(struct sk_buff *skb, u32 seq, u32 ack, u32 win, u32
1057	fl.fl_ip_sport = t1->source;	1056	fl.fl_ip_sport = t1->source;
1058		1057
1059	if (!ip6_dst_lookup(NULL, &buff->dst, &fl)) {	1058	if (!ip6_dst_lookup(NULL, &buff->dst, &fl)) {
1060	if ((xfrm_lookup(&buff->dst, &fl, NULL, 0)) < 0)	1059	if (xfrm_lookup(&buff->dst, &fl, NULL, 0) >= 0) {
		1060	ip6_xmit(NULL, buff, &fl, NULL, 0);
		1061	TCP_INC_STATS_BH(TCP_MIB_OUTSEGS);
1061	return;	1062	return;
1062	ip6_xmit(NULL, buff, &fl, NULL, 0);	1063	}
1063	TCP_INC_STATS_BH(TCP_MIB_OUTSEGS);
1064	return;
1065	}	1064	}
1066		1065
1067	kfree_skb(buff);	1066	kfree_skb(buff);