diff options
author | Daniel Borkmann <dborkman@redhat.com> | 2013-08-05 12:49:35 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2013-08-05 12:26:50 -0700 |
commit | 7921895a5e852fc99de347bc0600659997de9298 (patch) | |
tree | 0806f91433c6a67fa20a679d9c5db4809cf981d9 /kernel/audit.c | |
parent | 07ce76aa9bcf8bc106a53c67548c5602f1598595 (diff) | |
download | op-kernel-dev-7921895a5e852fc99de347bc0600659997de9298.zip op-kernel-dev-7921895a5e852fc99de347bc0600659997de9298.tar.gz |
net: esp{4,6}: fix potential MTU calculation overflows
Commit 91657eafb ("xfrm: take net hdr len into account for esp payload
size calculation") introduced a possible interger overflow in
esp{4,6}_get_mtu() handlers in case of x->props.mode equals
XFRM_MODE_TUNNEL. Thus, the following expression will overflow
unsigned int net_adj;
...
<case ipv{4,6} XFRM_MODE_TUNNEL>
net_adj = 0;
...
return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
net_adj) & ~(align - 1)) + (net_adj - 2);
where (net_adj - 2) would be evaluated as <foo> + (0 - 2) in an unsigned
context. Fix it by simply removing brackets as those operations here
do not need to have special precedence.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Benjamin Poirier <bpoirier@suse.de>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Benjamin Poirier <bpoirier@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'kernel/audit.c')
0 files changed, 0 insertions, 0 deletions