aboutsummaryrefslogtreecommitdiffstats
path: root/net/xfrm
diff options
context:
space:
mode:
Diffstat (limited to 'net/xfrm')
-rw-r--r--net/xfrm/xfrm_algo.c2
-rw-r--r--net/xfrm/xfrm_policy.c4
-rw-r--r--net/xfrm/xfrm_user.c15
3 files changed, 15 insertions, 6 deletions
diff --git a/net/xfrm/xfrm_algo.c b/net/xfrm/xfrm_algo.c
index 080aae243c..2f4531fcac 100644
--- a/net/xfrm/xfrm_algo.c
+++ b/net/xfrm/xfrm_algo.c
@@ -698,7 +698,7 @@ int skb_cow_data(struct sk_buff *skb, int tailbits, struct sk_buff **trailer)
698 return -ENOMEM; 698 return -ENOMEM;
699 699
700 if (skb1->sk) 700 if (skb1->sk)
701 skb_set_owner_w(skb, skb1->sk); 701 skb_set_owner_w(skb2, skb1->sk);
702 702
703 /* Looking around. Are we still alive? 703 /* Looking around. Are we still alive?
704 * OK, link new skb, drop old one */ 704 * OK, link new skb, drop old one */
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 55ed979db1..d07f5ce318 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1136,7 +1136,7 @@ int xfrm_bundle_ok(struct xfrm_dst *first, struct flowi *fl, int family)
1136 struct xfrm_dst *last; 1136 struct xfrm_dst *last;
1137 u32 mtu; 1137 u32 mtu;
1138 1138
1139 if (!dst_check(dst->path, 0) || 1139 if (!dst_check(dst->path, ((struct xfrm_dst *)dst)->path_cookie) ||
1140 (dst->dev && !netif_running(dst->dev))) 1140 (dst->dev && !netif_running(dst->dev)))
1141 return 0; 1141 return 0;
1142 1142
@@ -1156,7 +1156,7 @@ int xfrm_bundle_ok(struct xfrm_dst *first, struct flowi *fl, int family)
1156 xdst->child_mtu_cached = mtu; 1156 xdst->child_mtu_cached = mtu;
1157 } 1157 }
1158 1158
1159 if (!dst_check(xdst->route, 0)) 1159 if (!dst_check(xdst->route, xdst->route_cookie))
1160 return 0; 1160 return 0;
1161 mtu = dst_mtu(xdst->route); 1161 mtu = dst_mtu(xdst->route);
1162 if (xdst->route_mtu_cached != mtu) { 1162 if (xdst->route_mtu_cached != mtu) {
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 5ddda2c98a..97509011c2 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -34,14 +34,21 @@ static int verify_one_alg(struct rtattr **xfrma, enum xfrm_attr_type_t type)
34{ 34{
35 struct rtattr *rt = xfrma[type - 1]; 35 struct rtattr *rt = xfrma[type - 1];
36 struct xfrm_algo *algp; 36 struct xfrm_algo *algp;
37 int len;
37 38
38 if (!rt) 39 if (!rt)
39 return 0; 40 return 0;
40 41
41 if ((rt->rta_len - sizeof(*rt)) < sizeof(*algp)) 42 len = (rt->rta_len - sizeof(*rt)) - sizeof(*algp);
43 if (len < 0)
42 return -EINVAL; 44 return -EINVAL;
43 45
44 algp = RTA_DATA(rt); 46 algp = RTA_DATA(rt);
47
48 len -= (algp->alg_key_len + 7U) / 8;
49 if (len < 0)
50 return -EINVAL;
51
45 switch (type) { 52 switch (type) {
46 case XFRMA_ALG_AUTH: 53 case XFRMA_ALG_AUTH:
47 if (!algp->alg_key_len && 54 if (!algp->alg_key_len &&
@@ -162,6 +169,7 @@ static int attach_one_algo(struct xfrm_algo **algpp, u8 *props,
162 struct rtattr *rta = u_arg; 169 struct rtattr *rta = u_arg;
163 struct xfrm_algo *p, *ualg; 170 struct xfrm_algo *p, *ualg;
164 struct xfrm_algo_desc *algo; 171 struct xfrm_algo_desc *algo;
172 int len;
165 173
166 if (!rta) 174 if (!rta)
167 return 0; 175 return 0;
@@ -173,11 +181,12 @@ static int attach_one_algo(struct xfrm_algo **algpp, u8 *props,
173 return -ENOSYS; 181 return -ENOSYS;
174 *props = algo->desc.sadb_alg_id; 182 *props = algo->desc.sadb_alg_id;
175 183
176 p = kmalloc(sizeof(*ualg) + ualg->alg_key_len, GFP_KERNEL); 184 len = sizeof(*ualg) + (ualg->alg_key_len + 7U) / 8;
185 p = kmalloc(len, GFP_KERNEL);
177 if (!p) 186 if (!p)
178 return -ENOMEM; 187 return -ENOMEM;
179 188
180 memcpy(p, ualg, sizeof(*ualg) + ualg->alg_key_len); 189 memcpy(p, ualg, len);
181 *algpp = p; 190 *algpp = p;
182 return 0; 191 return 0;
183} 192}
generated by cgit v1.2.2 (git 2.25.0) at 2025-03-26 19:57:47 -0400