korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-15 08:14:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec

Browse Source 
Steffen Klassert says:

====================
pull request (net): ipsec 2017-08-29

1) Fix dst_entry refcount imbalance when using socket policies.
   From Lorenzo Colitti.

2) Fix locking when adding the ESP trailers.

3) Fix tailroom calculation for the ESP trailer by using
   skb_tailroom instead of skb_availroom.

4) Fix some info leaks in xfrm_user.
   From Mathias Krause.

Please pull or let me know if there are problems.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
David S. Miller 2017-08-29 09:37:06 -07:00
commit 04f1c4ad72
4 changed files with 13 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
net/ipv4/esp4.c
View File

@ -258,7 +258,7 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
esp_output_udp_encap(x, skb, esp); esp_output_udp_encap(x, skb, esp);
if (!skb_cloned(skb)) { if (!skb_cloned(skb)) {
if (tailen <= skb_availroom(skb)) { if (tailen <= skb_tailroom(skb)) {
nfrags = 1; nfrags = 1;
trailer = skb; trailer = skb;
tail = skb_tail_pointer(trailer); tail = skb_tail_pointer(trailer);
@ -292,8 +292,6 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
kunmap_atomic(vaddr); kunmap_atomic(vaddr);
spin_unlock_bh(&x->lock);
nfrags = skb_shinfo(skb)->nr_frags; nfrags = skb_shinfo(skb)->nr_frags;
__skb_fill_page_desc(skb, nfrags, page, pfrag->offset, __skb_fill_page_desc(skb, nfrags, page, pfrag->offset,
@ -301,6 +299,9 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
skb_shinfo(skb)->nr_frags = ++nfrags; skb_shinfo(skb)->nr_frags = ++nfrags;
pfrag->offset = pfrag->offset + allocsize; pfrag->offset = pfrag->offset + allocsize;
spin_unlock_bh(&x->lock);
nfrags++; nfrags++;
skb->len += tailen; skb->len += tailen;

7
net/ipv6/esp6.c
View File

@ -226,7 +226,7 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
int tailen = esp->tailen; int tailen = esp->tailen;
if (!skb_cloned(skb)) { if (!skb_cloned(skb)) {
if (tailen <= skb_availroom(skb)) { if (tailen <= skb_tailroom(skb)) {
nfrags = 1; nfrags = 1;
trailer = skb; trailer = skb;
tail = skb_tail_pointer(trailer); tail = skb_tail_pointer(trailer);
@ -260,8 +260,6 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
kunmap_atomic(vaddr); kunmap_atomic(vaddr);
spin_unlock_bh(&x->lock);
nfrags = skb_shinfo(skb)->nr_frags; nfrags = skb_shinfo(skb)->nr_frags;
__skb_fill_page_desc(skb, nfrags, page, pfrag->offset, __skb_fill_page_desc(skb, nfrags, page, pfrag->offset,
@ -269,6 +267,9 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
skb_shinfo(skb)->nr_frags = ++nfrags; skb_shinfo(skb)->nr_frags = ++nfrags;
pfrag->offset = pfrag->offset + allocsize; pfrag->offset = pfrag->offset + allocsize;
spin_unlock_bh(&x->lock);
nfrags++; nfrags++;
skb->len += tailen; skb->len += tailen;

1
net/xfrm/xfrm_policy.c
View File

@ -2226,7 +2226,6 @@ struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
goto no_transform; goto no_transform;
} }
dst_hold(&xdst->u.dst);
route = xdst->route; route = xdst->route;
} }
} }

6
net/xfrm/xfrm_user.c
View File

@ -796,7 +796,7 @@ static int copy_user_offload(struct xfrm_state_offload *xso, struct sk_buff *skb
return -EMSGSIZE; return -EMSGSIZE;
xuo = nla_data(attr); xuo = nla_data(attr);
memset(xuo, 0, sizeof(*xuo));
xuo->ifindex = xso->dev->ifindex; xuo->ifindex = xso->dev->ifindex;
xuo->flags = xso->flags; xuo->flags = xso->flags;
@ -1869,6 +1869,7 @@ static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, const struct
return -EMSGSIZE; return -EMSGSIZE;
id = nlmsg_data(nlh); id = nlmsg_data(nlh);
memset(&id->sa_id, 0, sizeof(id->sa_id));
memcpy(&id->sa_id.daddr, &x->id.daddr, sizeof(x->id.daddr)); memcpy(&id->sa_id.daddr, &x->id.daddr, sizeof(x->id.daddr));
id->sa_id.spi = x->id.spi; id->sa_id.spi = x->id.spi;
id->sa_id.family = x->props.family; id->sa_id.family = x->props.family;
@ -2578,6 +2579,8 @@ static int build_expire(struct sk_buff *skb, struct xfrm_state *x, const struct
ue = nlmsg_data(nlh); ue = nlmsg_data(nlh);
copy_to_user_state(x, &ue->state); copy_to_user_state(x, &ue->state);
ue->hard = (c->data.hard != 0) ? 1 : 0; ue->hard = (c->data.hard != 0) ? 1 : 0;
/* clear the padding bytes */
memset(&ue->hard + 1, 0, sizeof(*ue) - offsetofend(typeof(*ue), hard));
err = xfrm_mark_put(skb, &x->mark); err = xfrm_mark_put(skb, &x->mark);
if (err) if (err)
@ -2715,6 +2718,7 @@ static int xfrm_notify_sa(struct xfrm_state *x, const struct km_event *c)
struct nlattr *attr; struct nlattr *attr;
id = nlmsg_data(nlh); id = nlmsg_data(nlh);
memset(id, 0, sizeof(*id));
memcpy(&id->daddr, &x->id.daddr, sizeof(id->daddr)); memcpy(&id->daddr, &x->id.daddr, sizeof(id->daddr));
id->spi = x->id.spi; id->spi = x->id.spi;
id->family = x->props.family; id->family = x->props.family;