Skip to content

Commit

Permalink
ah: Read nexthdr value before overwriting it in ahash input callback.
Browse files Browse the repository at this point in the history
The AH4/6 ahash input callbacks read out the nexthdr field from the AH
header *after* they overwrite that header.  This is obviously not going
to end well.  Fix it up.

Signed-off-by: Nick Bowler <nbowler@elliptictech.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
Nick Bowler authored and David S. Miller committed Nov 9, 2011
1 parent 069294e commit b7ea81a
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 4 deletions.
4 changes: 2 additions & 2 deletions net/ipv4/ah4.c
Original file line number Diff line number Diff line change
Expand Up @@ -262,12 +262,12 @@ static void ah_input_done(struct crypto_async_request *base, int err)
if (err)
goto out;

err = ah->nexthdr;

skb->network_header += ah_hlen;
memcpy(skb_network_header(skb), work_iph, ihl);
__skb_pull(skb, ah_hlen + ihl);
skb_set_transport_header(skb, -ihl);

err = ah->nexthdr;
out:
kfree(AH_SKB_CB(skb)->tmp);
xfrm_input_resume(skb, err);
Expand Down
4 changes: 2 additions & 2 deletions net/ipv6/ah6.c
Original file line number Diff line number Diff line change
Expand Up @@ -464,12 +464,12 @@ static void ah6_input_done(struct crypto_async_request *base, int err)
if (err)
goto out;

err = ah->nexthdr;

skb->network_header += ah_hlen;
memcpy(skb_network_header(skb), work_iph, hdr_len);
__skb_pull(skb, ah_hlen + hdr_len);
skb_set_transport_header(skb, -hdr_len);

err = ah->nexthdr;
out:
kfree(AH_SKB_CB(skb)->tmp);
xfrm_input_resume(skb, err);
Expand Down

0 comments on commit b7ea81a

Please sign in to comment.