summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSteffen Klassert <steffen.klassert@secunet.com>2011-06-05 20:46:03 +0000
committerGreg Kroah-Hartman <gregkh@suse.de>2011-07-08 23:15:39 -0700
commit11915b98996882bdc5ae58b992cf929f2c824b66 (patch)
tree3c39fe3e5e392e0726ca15a7e30d39ff4764b1f9
parent5a6f784d68bb0ad9c2eae599ab90baf9d98f9ec2 (diff)
downloadlwn-11915b98996882bdc5ae58b992cf929f2c824b66.tar.gz
lwn-11915b98996882bdc5ae58b992cf929f2c824b66.zip
xfrm: Fix off by one in the replay advance functions
[ Upstream commit e756682c8baa47da1648c0c016e9f48ed66bc32d ] We may write 4 byte too much when we reinitialize the anti replay window in the replay advance functions. This patch fixes this by adjusting the last index of the initialization loop. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--net/xfrm/xfrm_replay.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
index 47f1b8638df9..b11ea692bd7d 100644
--- a/net/xfrm/xfrm_replay.c
+++ b/net/xfrm/xfrm_replay.c
@@ -265,7 +265,7 @@ static void xfrm_replay_advance_bmp(struct xfrm_state *x, __be32 net_seq)
bitnr = bitnr & 0x1F;
replay_esn->bmp[nr] |= (1U << bitnr);
} else {
- nr = replay_esn->replay_window >> 5;
+ nr = (replay_esn->replay_window - 1) >> 5;
for (i = 0; i <= nr; i++)
replay_esn->bmp[i] = 0;
@@ -471,7 +471,7 @@ static void xfrm_replay_advance_esn(struct xfrm_state *x, __be32 net_seq)
bitnr = bitnr & 0x1F;
replay_esn->bmp[nr] |= (1U << bitnr);
} else {
- nr = replay_esn->replay_window >> 5;
+ nr = (replay_esn->replay_window - 1) >> 5;
for (i = 0; i <= nr; i++)
replay_esn->bmp[i] = 0;