From 0fbcd968dbb6f31e3c4311d2204e1d019e11be19 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Thu, 27 Sep 2012 22:21:19 +0000
Subject: [PATCH] --- yaml --- r: 328412 b: refs/heads/master c:
 f674e72ff1aad23a99c7c205473cf02c85c2ac33 h: refs/heads/master v: v3

---
 [refs]                 | 2 +-
 trunk/net/key/af_key.c | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/[refs] b/[refs]
index 76fb1c3e3f68..fc850a967805 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: 862096a8bbf8f992f6d0a1a8786ffd3fc7437e48
+refs/heads/master: f674e72ff1aad23a99c7c205473cf02c85c2ac33
diff --git a/trunk/net/key/af_key.c b/trunk/net/key/af_key.c
index 2ca7d7f6861c..08897a3c7ec7 100644
--- a/trunk/net/key/af_key.c
+++ b/trunk/net/key/af_key.c
@@ -1923,6 +1923,9 @@ parse_ipsecrequests(struct xfrm_policy *xp, struct sadb_x_policy *pol)
 	int len = pol->sadb_x_policy_len*8 - sizeof(struct sadb_x_policy);
 	struct sadb_x_ipsecrequest *rq = (void*)(pol+1);
 
+	if (pol->sadb_x_policy_len * 8 < sizeof(struct sadb_x_policy))
+		return -EINVAL;
+
 	while (len >= sizeof(struct sadb_x_ipsecrequest)) {
 		if ((err = parse_ipsecrequest(xp, rq)) < 0)
 			return err;