aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv6/xfrm6_state.c
diff options
context:
space:
mode:
authorHerbert Xu <herbert@gondor.apana.org.au>2008-03-26 16:51:09 -0700
committerDavid S. Miller <davem@davemloft.net>2008-03-26 16:51:09 -0700
commit732c8bd590625e8bc0b88313b82930e336b2bec4 (patch)
tree1cf3f6b9db7b886d35bbf38bab2ca6ff82d206d8 /net/ipv6/xfrm6_state.c
parent0e5606e4f46b7cf52dd445af01e71ed9dbb7f735 (diff)
downloadkernel_samsung_smdk4412-732c8bd590625e8bc0b88313b82930e336b2bec4.zip
kernel_samsung_smdk4412-732c8bd590625e8bc0b88313b82930e336b2bec4.tar.gz
kernel_samsung_smdk4412-732c8bd590625e8bc0b88313b82930e336b2bec4.tar.bz2
[IPSEC]: Fix BEET output
The IPv6 BEET output function is incorrectly including the inner header in the payload to be protected. This causes a crash as the packet doesn't actually have that many bytes for a second header. The IPv4 BEET output on the other hand is broken when it comes to handling an inner IPv6 header since it always assumes an inner IPv4 header. This patch fixes both by making sure that neither BEET output function touches the inner header at all. All access is now done through the protocol-independent cb structure. Two new attributes are added to make this work, the IP header length and the IPv4 option length. They're filled in by the inner mode's output function. Thanks to Joakim Koskela for finding this problem. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6/xfrm6_state.c')
-rw-r--r--net/ipv6/xfrm6_state.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/ipv6/xfrm6_state.c b/net/ipv6/xfrm6_state.c
index dc817e0..ff1e1db 100644
--- a/net/ipv6/xfrm6_state.c
+++ b/net/ipv6/xfrm6_state.c
@@ -174,10 +174,12 @@ int xfrm6_extract_header(struct sk_buff *skb)
{
struct ipv6hdr *iph = ipv6_hdr(skb);
+ XFRM_MODE_SKB_CB(skb)->ihl = sizeof(*iph);
XFRM_MODE_SKB_CB(skb)->id = 0;
XFRM_MODE_SKB_CB(skb)->frag_off = htons(IP_DF);
XFRM_MODE_SKB_CB(skb)->tos = ipv6_get_dsfield(iph);
XFRM_MODE_SKB_CB(skb)->ttl = iph->hop_limit;
+ XFRM_MODE_SKB_CB(skb)->optlen = 0;
memcpy(XFRM_MODE_SKB_CB(skb)->flow_lbl, iph->flow_lbl,
sizeof(XFRM_MODE_SKB_CB(skb)->flow_lbl));