diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2008-09-30 02:03:19 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-09-30 02:03:19 -0700 |
commit | d01dbeb6af7a0848063033f73c3d146fec7451f3 (patch) | |
tree | 7b912030e10097483843c0dfa006e3793e31c9ae | |
parent | 94aca1dac6f6d21f4b07e4864baf7768cabcc6e7 (diff) | |
download | kernel_samsung_smdk4412-d01dbeb6af7a0848063033f73c3d146fec7451f3.tar.gz kernel_samsung_smdk4412-d01dbeb6af7a0848063033f73c3d146fec7451f3.tar.bz2 kernel_samsung_smdk4412-d01dbeb6af7a0848063033f73c3d146fec7451f3.zip |
ipsec: Fix pskb_expand_head corruption in xfrm_state_check_space
We're never supposed to shrink the headroom or tailroom. In fact,
shrinking the headroom is a fatal action.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/xfrm/xfrm_output.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c index ac25b4c0e98..dc50f1e71f7 100644 --- a/net/xfrm/xfrm_output.c +++ b/net/xfrm/xfrm_output.c @@ -27,10 +27,14 @@ static int xfrm_state_check_space(struct xfrm_state *x, struct sk_buff *skb) - skb_headroom(skb); int ntail = dst->dev->needed_tailroom - skb_tailroom(skb); - if (nhead > 0 || ntail > 0) - return pskb_expand_head(skb, nhead, ntail, GFP_ATOMIC); - - return 0; + if (nhead <= 0) { + if (ntail <= 0) + return 0; + nhead = 0; + } else if (ntail < 0) + ntail = 0; + + return pskb_expand_head(skb, nhead, ntail, GFP_ATOMIC); } static int xfrm_output_one(struct sk_buff *skb, int err) |