From: Ilan Tayari Date: Sun, 30 Apr 2017 13:34:38 +0000 (+0300) Subject: net/esp4: Fix invalid esph pointer crash X-Git-Tag: v4.12-rc1~129^2~21 X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=67d349ed603d5ce4a6f1722b1736e2bcef0e8690;p=tomoyo%2Ftomoyo-test1.git net/esp4: Fix invalid esph pointer crash Both esp_output and esp_xmit take a pointer to the ESP header and place it in esp_info struct prior to calling esp_output_head. Inside esp_output_head, the call to esp_output_udp_encap makes sure to update the pointer if it gets invalid. However, if esp_output_head itself calls skb_cow_data, the pointer is not updated and stays invalid, causing a crash after esp_output_head returns. Update the pointer if it becomes invalid in esp_output_head Fixes: fca11ebde3f0 ("esp4: Reorganize esp_output") Signed-off-by: Ilan Tayari Signed-off-by: David S. Miller --- diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index 7f2caf71212b..65cc02bd82bc 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c @@ -317,6 +317,7 @@ cow: if (nfrags < 0) goto out; tail = skb_tail_pointer(trailer); + esp->esph = ip_esp_hdr(skb); skip_cow: esp_output_fill_trailer(tail, esp->tfclen, esp->plen, esp->proto);