xfrm: Fix infinite loop in xfrm_get_dst_nexthop with transport mode.

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

On transport mode we forget to fetch the child dst_entry
before we continue the while loop, this leads to an infinite
loop. Fix this by fetching the child dst_entry before we
continue the while loop.

Fixes: 0f6c480f23f4 ("xfrm: Move dst->path into struct xfrm_dst")
Reported-by: syzbot+7d03c810e50aaedef98a@syzkaller.appspotmail.com
Tested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

Steffen Klassert 8 years ago 013cb81e 143a4454

+2 -2

1 changed file

expand all

net

xfrm

xfrm_policy.c

+2 -2

net/xfrm/xfrm_policy.c

··· 2732 2732 while (dst->xfrm) { 2733 2733 const struct xfrm_state *xfrm = dst->xfrm; 2734 2734 2735 + dst = xfrm_dst_child(dst); 2736 + 2735 2737 if (xfrm->props.mode == XFRM_MODE_TRANSPORT) 2736 2738 continue; 2737 2739 if (xfrm->type->flags & XFRM_TYPE_REMOTE_COADDR) 2738 2740 daddr = xfrm->coaddr; 2739 2741 else if (!(xfrm->type->flags & XFRM_TYPE_LOCAL_COADDR)) 2740 2742 daddr = &xfrm->id.daddr; 2741 - 2742 - dst = xfrm_dst_child(dst); 2743 2743 } 2744 2744 return daddr; 2745 2745 }