ipsec: Fix pskb_expand_head corruption in xfrm_state_check_space

We're never supposed to shrink the headroom or tailroom. In fact, shrinking the headroom is a fatal action. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Herbert Xu <herbert@gondor.apana.org.au> 2008-09-30 02:03:19 -0700
committer: David S. Miller <davem@davemloft.net> 2008-09-30 02:03:19 -0700
commit: d01dbeb6af7a0848063033f73c3d146fec7451f3 (patch)
tree: 7b912030e10097483843c0dfa006e3793e31c9ae /net/xfrm/xfrm_output.c
parent: 94aca1dac6f6d21f4b07e4864baf7768cabcc6e7 (diff)
download: olio-linux-3.10-d01dbeb6af7a0848063033f73c3d146fec7451f3.tar.xz
olio-linux-3.10-d01dbeb6af7a0848063033f73c3d146fec7451f3.zip
1 files changed, 7 insertions, 3 deletions
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index ac25b4c0e98..dc50f1e71f7 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -27,10 +27,14 @@ static int xfrm_state_check_space(struct xfrm_state *x, struct sk_buff *skb)
 		- skb_headroom(skb);
 	int ntail = dst->dev->needed_tailroom - skb_tailroom(skb);
 
-	if (nhead > 0 || ntail > 0)
-		return pskb_expand_head(skb, nhead, ntail, GFP_ATOMIC);
+	if (nhead <= 0) {
+		if (ntail <= 0)
+			return 0;
+		nhead = 0;
+	} else if (ntail < 0)
+		ntail = 0;
 
-	return 0;
+	return pskb_expand_head(skb, nhead, ntail, GFP_ATOMIC);
 }
 
 static int xfrm_output_one(struct sk_buff *skb, int err)
author	Herbert Xu <herbert@gondor.apana.org.au>	2008-09-30 02:03:19 -0700
committer	David S. Miller <davem@davemloft.net>	2008-09-30 02:03:19 -0700
commit	d01dbeb6af7a0848063033f73c3d146fec7451f3 (patch)
tree	7b912030e10097483843c0dfa006e3793e31c9ae /net/xfrm/xfrm_output.c
parent	94aca1dac6f6d21f4b07e4864baf7768cabcc6e7 (diff)
download	olio-linux-3.10-d01dbeb6af7a0848063033f73c3d146fec7451f3.tar.xz olio-linux-3.10-d01dbeb6af7a0848063033f73c3d146fec7451f3.zip