ah: Read nexthdr value before overwriting it in ahash input callback.
The AH4/6 ahash input callbacks read out the nexthdr field from the AH header *after* they overwrite that header. This is obviously not going to end well. Fix it up. Signed-off-by: Nick Bowler <nbowler@elliptictech.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
069294e813
commit
b7ea81a58a
|
@ -262,12 +262,12 @@ static void ah_input_done(struct crypto_async_request *base, int err)
|
|||
if (err)
|
||||
goto out;
|
||||
|
||||
err = ah->nexthdr;
|
||||
|
||||
skb->network_header += ah_hlen;
|
||||
memcpy(skb_network_header(skb), work_iph, ihl);
|
||||
__skb_pull(skb, ah_hlen + ihl);
|
||||
skb_set_transport_header(skb, -ihl);
|
||||
|
||||
err = ah->nexthdr;
|
||||
out:
|
||||
kfree(AH_SKB_CB(skb)->tmp);
|
||||
xfrm_input_resume(skb, err);
|
||||
|
|
|
@ -464,12 +464,12 @@ static void ah6_input_done(struct crypto_async_request *base, int err)
|
|||
if (err)
|
||||
goto out;
|
||||
|
||||
err = ah->nexthdr;
|
||||
|
||||
skb->network_header += ah_hlen;
|
||||
memcpy(skb_network_header(skb), work_iph, hdr_len);
|
||||
__skb_pull(skb, ah_hlen + hdr_len);
|
||||
skb_set_transport_header(skb, -hdr_len);
|
||||
|
||||
err = ah->nexthdr;
|
||||
out:
|
||||
kfree(AH_SKB_CB(skb)->tmp);
|
||||
xfrm_input_resume(skb, err);
|
||||
|
|
Loading…
Reference in New Issue