tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
ah: Read nexthdr value before overwriting it in ahash input callback.
The AH4/6 ahash input callbacks read out the nexthdr field from the AH
header *after* they overwrite that header. This is obviously not going
to end well. Fix it up.
Signed-off-by: Nick Bowler <nbowler@elliptictech.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
authored by
Nick Bowler
and committed by
David S. Miller
b7ea81a5
069294e8
+4
-4
+2
-2
net/ipv4/ah4.c
+2
-2
net/ipv4/ah4.c
···
262
262
if (err)
263
263
goto out;
264
264
265
+
err = ah->nexthdr;
266
+
265
267
skb->network_header += ah_hlen;
266
268
memcpy(skb_network_header(skb), work_iph, ihl);
267
269
__skb_pull(skb, ah_hlen + ihl);
268
270
skb_set_transport_header(skb, -ihl);
269
-
270
-
err = ah->nexthdr;
271
271
out:
272
272
kfree(AH_SKB_CB(skb)->tmp);
273
273
xfrm_input_resume(skb, err);
+2
-2
net/ipv6/ah6.c
+2
-2
net/ipv6/ah6.c
···
464
464
if (err)
465
465
goto out;
466
466
467
+
err = ah->nexthdr;
468
+
467
469
skb->network_header += ah_hlen;
468
470
memcpy(skb_network_header(skb), work_iph, hdr_len);
469
471
__skb_pull(skb, ah_hlen + hdr_len);
470
472
skb_set_transport_header(skb, -hdr_len);
471
-
472
-
err = ah->nexthdr;
473
473
out:
474
474
kfree(AH_SKB_CB(skb)->tmp);
475
475
xfrm_input_resume(skb, err);