Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec

Steffen Klassert says:

====================
pull request (net): ipsec 2018-05-31

1) Avoid possible overflow of the offset variable
   in  _decode_session6(), this fixes an infinite
   lookp there. From Eric Dumazet.

2) We may use an error pointer in the error path of
   xfrm_bundle_create(). Fix this by returning this
   pointer directly to the caller.

Please pull or let me know if there are problems.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index 416fe67271a920f5a86dd3007c03e3113f857f8a..86dba282a147ce6ad4b3e4e2f3b5c81962493130 100644 (file)
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -126,7 +126,7 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
        struct flowi6 *fl6 = &fl->u.ip6;
        int onlyproto = 0;
        const struct ipv6hdr *hdr = ipv6_hdr(skb);
-       u16 offset = sizeof(*hdr);
+       u32 offset = sizeof(*hdr);
        struct ipv6_opt_hdr *exthdr;
        const unsigned char *nh = skb_network_header(skb);
        u16 nhoff = IP6CB(skb)->nhoff;

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 40b54cc64243b0751e59ef8762248209fa7dabd6..5f48251c1319aa5bb122fe4849030baa758769ee 100644 (file)
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1658,7 +1658,6 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
                trailer_len -= xdst_prev->u.dst.xfrm->props.trailer_len;
        }
 
-out:
        return &xdst0->u.dst;
 
 put_states:
@@ -1667,8 +1666,8 @@ put_states:
 free_dst:
        if (xdst0)
                dst_release_immediate(&xdst0->u.dst);
-       xdst0 = ERR_PTR(err);
-       goto out;
+
+       return ERR_PTR(err);
 }
 
 static int xfrm_expand_policies(const struct flowi *fl, u16 family,