Skip to content

Commit 6ed6918

Browse files
myunghojklassert
myunghoj
authored and
klassert
committed
xfrm: Reset secpath in xfrm failure
In esp4_gro_receive() and esp6_gro_receive(), secpath can be allocated without adding xfrm state to xvec. Then, sp->xvec[sp->len - 1] would fail and result in dereferencing invalid pointer in esp4_gso_segment() and esp6_gso_segment(). Reset secpath if xfrm function returns error. Fixes: 7785bba ("esp: Add a software GRO codepath") Reported-by: [email protected] Signed-off-by: Myungho Jung <[email protected]> Signed-off-by: Steffen Klassert <[email protected]>
1 parent b805d78 commit 6ed6918

File tree

2 files changed

+10
-6
lines changed

2 files changed

+10
-6
lines changed

net/ipv4/esp4_offload.c

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -52,21 +52,21 @@ static struct sk_buff *esp4_gro_receive(struct list_head *head,
5252
goto out;
5353

5454
if (sp->len == XFRM_MAX_DEPTH)
55-
goto out;
55+
goto out_reset;
5656

5757
x = xfrm_state_lookup(dev_net(skb->dev), skb->mark,
5858
(xfrm_address_t *)&ip_hdr(skb)->daddr,
5959
spi, IPPROTO_ESP, AF_INET);
6060
if (!x)
61-
goto out;
61+
goto out_reset;
6262

6363
sp->xvec[sp->len++] = x;
6464
sp->olen++;
6565

6666
xo = xfrm_offload(skb);
6767
if (!xo) {
6868
xfrm_state_put(x);
69-
goto out;
69+
goto out_reset;
7070
}
7171
}
7272

@@ -82,6 +82,8 @@ static struct sk_buff *esp4_gro_receive(struct list_head *head,
8282
xfrm_input(skb, IPPROTO_ESP, spi, -2);
8383

8484
return ERR_PTR(-EINPROGRESS);
85+
out_reset:
86+
secpath_reset(skb);
8587
out:
8688
skb_push(skb, offset);
8789
NAPI_GRO_CB(skb)->same_flow = 0;

net/ipv6/esp6_offload.c

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -74,21 +74,21 @@ static struct sk_buff *esp6_gro_receive(struct list_head *head,
7474
goto out;
7575

7676
if (sp->len == XFRM_MAX_DEPTH)
77-
goto out;
77+
goto out_reset;
7878

7979
x = xfrm_state_lookup(dev_net(skb->dev), skb->mark,
8080
(xfrm_address_t *)&ipv6_hdr(skb)->daddr,
8181
spi, IPPROTO_ESP, AF_INET6);
8282
if (!x)
83-
goto out;
83+
goto out_reset;
8484

8585
sp->xvec[sp->len++] = x;
8686
sp->olen++;
8787

8888
xo = xfrm_offload(skb);
8989
if (!xo) {
9090
xfrm_state_put(x);
91-
goto out;
91+
goto out_reset;
9292
}
9393
}
9494

@@ -109,6 +109,8 @@ static struct sk_buff *esp6_gro_receive(struct list_head *head,
109109
xfrm_input(skb, IPPROTO_ESP, spi, -2);
110110

111111
return ERR_PTR(-EINPROGRESS);
112+
out_reset:
113+
secpath_reset(skb);
112114
out:
113115
skb_push(skb, offset);
114116
NAPI_GRO_CB(skb)->same_flow = 0;

0 commit comments

Comments
 (0)