diff options
author | Steffen Klassert <steffen.klassert@secunet.com> | 2011-06-05 20:46:03 +0000 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2011-06-07 21:14:39 -0700 |
commit | e756682c8baa47da1648c0c016e9f48ed66bc32d (patch) | |
tree | e226eebfbdb826f79607751f719ebaaaf810b229 /net/xfrm | |
parent | 665c8c8ee405738375b679246b49342ce38ba056 (diff) | |
download | op-kernel-dev-e756682c8baa47da1648c0c016e9f48ed66bc32d.zip op-kernel-dev-e756682c8baa47da1648c0c016e9f48ed66bc32d.tar.gz |
xfrm: Fix off by one in the replay advance functions
We may write 4 byte too much when we reinitialize the anti replay
window in the replay advance functions. This patch fixes this by
adjusting the last index of the initialization loop.
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/xfrm')
-rw-r--r-- | net/xfrm/xfrm_replay.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c index 47f1b86..b11ea69 100644 --- a/net/xfrm/xfrm_replay.c +++ b/net/xfrm/xfrm_replay.c @@ -265,7 +265,7 @@ static void xfrm_replay_advance_bmp(struct xfrm_state *x, __be32 net_seq) bitnr = bitnr & 0x1F; replay_esn->bmp[nr] |= (1U << bitnr); } else { - nr = replay_esn->replay_window >> 5; + nr = (replay_esn->replay_window - 1) >> 5; for (i = 0; i <= nr; i++) replay_esn->bmp[i] = 0; @@ -471,7 +471,7 @@ static void xfrm_replay_advance_esn(struct xfrm_state *x, __be32 net_seq) bitnr = bitnr & 0x1F; replay_esn->bmp[nr] |= (1U << bitnr); } else { - nr = replay_esn->replay_window >> 5; + nr = (replay_esn->replay_window - 1) >> 5; for (i = 0; i <= nr; i++) replay_esn->bmp[i] = 0; |