diff options
| author | Herbert Xu <herbert@gondor.apana.org.au> | 2008-09-30 02:03:19 -0700 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2008-10-08 20:23:08 -0700 |
| commit | b047cf6dfa81ca03b62f2e3ae63793ef5c300158 (patch) | |
| tree | e5a7da1333f2de905e15844b0eeb53419d8c029c | |
| parent | 877755eb1c4e46b460ac1af9938dec6f9d528fc2 (diff) | |
ipsec: Fix pskb_expand_head corruption in xfrm_state_check_space
[ Upstream commit d01dbeb6af7a0848063033f73c3d146fec7451f3 ]
We're never supposed to shrink the headroom or tailroom. In fact,
shrinking the headroom is a fatal action.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
| -rw-r--r-- | net/xfrm/xfrm_output.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c index 3f964db908a7..5360c86e95e0 100644 --- a/net/xfrm/xfrm_output.c +++ b/net/xfrm/xfrm_output.c @@ -27,10 +27,14 @@ static int xfrm_state_check_space(struct xfrm_state *x, struct sk_buff *skb) - skb_headroom(skb); int ntail = dst->dev->needed_tailroom - skb_tailroom(skb); - if (nhead > 0 || ntail > 0) - return pskb_expand_head(skb, nhead, ntail, GFP_ATOMIC); - - return 0; + if (nhead <= 0) { + if (ntail <= 0) + return 0; + nhead = 0; + } else if (ntail < 0) + ntail = 0; + + return pskb_expand_head(skb, nhead, ntail, GFP_ATOMIC); } static int xfrm_output_one(struct sk_buff *skb, int err) |