diff options
author | Nicolas Dichtel <nicolas.dichtel@6wind.com> | 2016-09-19 16:17:57 +0200 |
---|---|---|
committer | Steffen Klassert <steffen.klassert@secunet.com> | 2016-09-21 10:09:14 +0200 |
commit | 63c43787d35e45562a6b5927e2edc8f4783d95b8 (patch) | |
tree | 2f16ef080b7a0b9fdd43915a33fd6ab2557eca2f /net/ipv6/ip6_vti.c | |
parent | b588479358ce26f32138e0f0a7ab0678f8e3e601 (diff) | |
download | lwn-63c43787d35e45562a6b5927e2edc8f4783d95b8.tar.gz lwn-63c43787d35e45562a6b5927e2edc8f4783d95b8.zip |
vti6: fix input path
Since commit 1625f4529957, vti6 is broken, all input packets are dropped
(LINUX_MIB_XFRMINNOSTATES is incremented).
XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 is set by vti6_rcv() before calling
xfrm6_rcv()/xfrm6_rcv_spi(), thus we cannot set to NULL that value in
xfrm6_rcv_spi().
A new function xfrm6_rcv_tnl() that enables to pass a value to
xfrm6_rcv_spi() is added, so that xfrm6_rcv() is not touched (this function
is used in several handlers).
CC: Alexey Kodanev <alexey.kodanev@oracle.com>
Fixes: 1625f4529957 ("net/xfrm_input: fix possible NULL deref of tunnel.ip6->parms.i_key")
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'net/ipv6/ip6_vti.c')
-rw-r--r-- | net/ipv6/ip6_vti.c | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c index 52a2f735881f..5bd3afdcc771 100644 --- a/net/ipv6/ip6_vti.c +++ b/net/ipv6/ip6_vti.c @@ -321,11 +321,9 @@ static int vti6_rcv(struct sk_buff *skb) goto discard; } - XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = t; - rcu_read_unlock(); - return xfrm6_rcv(skb); + return xfrm6_rcv_tnl(skb, t); } rcu_read_unlock(); return -EINVAL; |