diff options
Diffstat (limited to 'net')
-rw-r--r-- | net/ipv4/ah4.c | 4 | ||||
-rw-r--r-- | net/ipv4/esp4.c | 1 | ||||
-rw-r--r-- | net/ipv6/ah6.c | 4 | ||||
-rw-r--r-- | net/ipv6/esp6.c | 1 | ||||
-rw-r--r-- | net/xfrm/xfrm_input.c | 5 |
5 files changed, 6 insertions, 9 deletions
diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c index ec8de0a..d76803a 100644 --- a/net/ipv4/ah4.c +++ b/net/ipv4/ah4.c @@ -179,10 +179,8 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb) err = ah_mac_digest(ahp, skb, ah->auth_data); if (err) goto unlock; - if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) { - xfrm_audit_state_icvfail(x, skb, IPPROTO_AH); + if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) err = -EBADMSG; - } } unlock: spin_unlock(&x->lock); diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index b334c76..28ea5c7 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c @@ -191,7 +191,6 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb) BUG(); if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) { - xfrm_audit_state_icvfail(x, skb, IPPROTO_ESP); err = -EBADMSG; goto unlock; } diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c index 2d32772..fb0d07a 100644 --- a/net/ipv6/ah6.c +++ b/net/ipv6/ah6.c @@ -380,10 +380,8 @@ static int ah6_input(struct xfrm_state *x, struct sk_buff *skb) err = ah_mac_digest(ahp, skb, ah->auth_data); if (err) goto unlock; - if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) { - xfrm_audit_state_icvfail(x, skb, IPPROTO_AH); + if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) err = -EBADMSG; - } } unlock: spin_unlock(&x->lock); diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index e10f10b..5bd5292 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c @@ -186,7 +186,6 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb) BUG(); if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) { - xfrm_audit_state_icvfail(x, skb, IPPROTO_ESP); ret = -EBADMSG; goto unlock; } diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index 1b250f3..039e701 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c @@ -186,8 +186,11 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) resume: spin_lock(&x->lock); if (nexthdr <= 0) { - if (nexthdr == -EBADMSG) + if (nexthdr == -EBADMSG) { + xfrm_audit_state_icvfail(x, skb, + x->type->proto); x->stats.integrity_failed++; + } XFRM_INC_STATS(LINUX_MIB_XFRMINSTATEPROTOERROR); goto drop_unlock; } |