net: esp{4,6}: fix potential MTU calculation overflows
Commit 91657eafb
("xfrm: take net hdr len into account for esp payload
size calculation") introduced a possible interger overflow in
esp{4,6}_get_mtu() handlers in case of x->props.mode equals
XFRM_MODE_TUNNEL. Thus, the following expression will overflow
unsigned int net_adj;
...
<case ipv{4,6} XFRM_MODE_TUNNEL>
net_adj = 0;
...
return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
net_adj) & ~(align - 1)) + (net_adj - 2);
where (net_adj - 2) would be evaluated as <foo> + (0 - 2) in an unsigned
context. Fix it by simply removing brackets as those operations here
do not need to have special precedence.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Benjamin Poirier <bpoirier@suse.de>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Benjamin Poirier <bpoirier@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
07ce76aa9b
commit
7921895a5e
@ -477,7 +477,7 @@ static u32 esp4_get_mtu(struct xfrm_state *x, int mtu)
|
||||
}
|
||||
|
||||
return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
|
||||
net_adj) & ~(align - 1)) + (net_adj - 2);
|
||||
net_adj) & ~(align - 1)) + net_adj - 2;
|
||||
}
|
||||
|
||||
static void esp4_err(struct sk_buff *skb, u32 info)
|
||||
|
@ -425,7 +425,7 @@ static u32 esp6_get_mtu(struct xfrm_state *x, int mtu)
|
||||
net_adj = 0;
|
||||
|
||||
return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
|
||||
net_adj) & ~(align - 1)) + (net_adj - 2);
|
||||
net_adj) & ~(align - 1)) + net_adj - 2;
|
||||
}
|
||||
|
||||
static void esp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
|
||||
|
Loading…
Reference in New Issue
Block a user