diff options
author | Steffen Klassert <steffen.klassert@secunet.com> | 2013-09-09 09:39:01 +0200 |
---|---|---|
committer | Steffen Klassert <steffen.klassert@secunet.com> | 2013-09-16 09:39:37 +0200 |
commit | 4479ff76c43607b680f9349128d8493228b49dce (patch) | |
tree | 5144879a8baaa977847276d0c4758cd8f2735bce /net/xfrm | |
parent | 73a695f8572e4c46a2aecdbb63f26f36a43e6873 (diff) | |
download | op-kernel-dev-4479ff76c43607b680f9349128d8493228b49dce.zip op-kernel-dev-4479ff76c43607b680f9349128d8493228b49dce.tar.gz |
xfrm: Fix replay size checking on async events
We pass the wrong netlink attribute to xfrm_replay_verify_len().
It should be XFRMA_REPLAY_ESN_VAL and not XFRMA_REPLAY_VAL as
we currently doing. This causes memory corruptions if the
replay esn attribute has incorrect length. Fix this by passing
the right attribute to xfrm_replay_verify_len().
Reported-by: Michael Rossberg <michael.rossberg@tu-ilmenau.de>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'net/xfrm')
-rw-r--r-- | net/xfrm/xfrm_user.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 3f565e4..4b26cee 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -1856,7 +1856,7 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh, if (x->km.state != XFRM_STATE_VALID) goto out; - err = xfrm_replay_verify_len(x->replay_esn, rp); + err = xfrm_replay_verify_len(x->replay_esn, re); if (err) goto out; |