提交 2614fa59 编写于 作者: H Herbert Xu 提交者: David S. Miller

[IPCOMP]: Fetch nexthdr before ipch is destroyed

When I moved the nexthdr setting out of IPComp I accidently moved
the reading of ipch->nexthdr after the decompression.  Unfortunately
this means that we'd be reading from a stale ipch pointer which
doesn't work very well.

This patch moves the reading up so that we get the correct nexthdr
value.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 936f6f8e
...@@ -74,6 +74,7 @@ static int ipcomp_decompress(struct xfrm_state *x, struct sk_buff *skb) ...@@ -74,6 +74,7 @@ static int ipcomp_decompress(struct xfrm_state *x, struct sk_buff *skb)
static int ipcomp_input(struct xfrm_state *x, struct sk_buff *skb) static int ipcomp_input(struct xfrm_state *x, struct sk_buff *skb)
{ {
int nexthdr;
int err = -ENOMEM; int err = -ENOMEM;
struct ip_comp_hdr *ipch; struct ip_comp_hdr *ipch;
...@@ -84,13 +85,15 @@ static int ipcomp_input(struct xfrm_state *x, struct sk_buff *skb) ...@@ -84,13 +85,15 @@ static int ipcomp_input(struct xfrm_state *x, struct sk_buff *skb)
/* Remove ipcomp header and decompress original payload */ /* Remove ipcomp header and decompress original payload */
ipch = (void *)skb->data; ipch = (void *)skb->data;
nexthdr = ipch->nexthdr;
skb->transport_header = skb->network_header + sizeof(*ipch); skb->transport_header = skb->network_header + sizeof(*ipch);
__skb_pull(skb, sizeof(*ipch)); __skb_pull(skb, sizeof(*ipch));
err = ipcomp_decompress(x, skb); err = ipcomp_decompress(x, skb);
if (err) if (err)
goto out; goto out;
err = ipch->nexthdr; err = nexthdr;
out: out:
return err; return err;
......
...@@ -64,6 +64,7 @@ static LIST_HEAD(ipcomp6_tfms_list); ...@@ -64,6 +64,7 @@ static LIST_HEAD(ipcomp6_tfms_list);
static int ipcomp6_input(struct xfrm_state *x, struct sk_buff *skb) static int ipcomp6_input(struct xfrm_state *x, struct sk_buff *skb)
{ {
int nexthdr;
int err = -ENOMEM; int err = -ENOMEM;
struct ip_comp_hdr *ipch; struct ip_comp_hdr *ipch;
int plen, dlen; int plen, dlen;
...@@ -79,6 +80,8 @@ static int ipcomp6_input(struct xfrm_state *x, struct sk_buff *skb) ...@@ -79,6 +80,8 @@ static int ipcomp6_input(struct xfrm_state *x, struct sk_buff *skb)
/* Remove ipcomp header and decompress original payload */ /* Remove ipcomp header and decompress original payload */
ipch = (void *)skb->data; ipch = (void *)skb->data;
nexthdr = ipch->nexthdr;
skb->transport_header = skb->network_header + sizeof(*ipch); skb->transport_header = skb->network_header + sizeof(*ipch);
__skb_pull(skb, sizeof(*ipch)); __skb_pull(skb, sizeof(*ipch));
...@@ -108,7 +111,7 @@ static int ipcomp6_input(struct xfrm_state *x, struct sk_buff *skb) ...@@ -108,7 +111,7 @@ static int ipcomp6_input(struct xfrm_state *x, struct sk_buff *skb)
skb->truesize += dlen - plen; skb->truesize += dlen - plen;
__skb_put(skb, dlen - plen); __skb_put(skb, dlen - plen);
skb_copy_to_linear_data(skb, scratch, dlen); skb_copy_to_linear_data(skb, scratch, dlen);
err = ipch->nexthdr; err = nexthdr;
out_put_cpu: out_put_cpu:
put_cpu(); put_cpu();
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册