[PATCH 3/5] xfrm_lookup bugs

To:	"David S. Miller" <davem@xxxxxxxxxx>
Subject:	[PATCH 3/5] xfrm_lookup bugs
From:	Krishna Kumar <krkumar@xxxxxxxxxx>
Date:	Tue, 13 Jan 2004 13:23:35 -0800 (PST)
Cc:	netdev@xxxxxxxxxxx
In-reply-to:	<Pine.LNX.4.44.0401131319510.25742-100000@linux-udp14999547uds>
Sender:	netdev-bounce@xxxxxxxxxxx

In xfrm_lookup, a couple of bugs :
        - the found or allocated xfrm_states are not passed correctly to
          xfrm_bundle_create (and to the subsequent frees in case of create
          failing) if the first xfrm_tmpl_resolve failed and the second one
          succeeded.
        - error handling is wrong.

thanks,

- KK

diff -ruN linux-2.6.0-rc2-bk6.org/net/xfrm/xfrm_policy.c 
linux-2.6.0-rc2-bk6/net/xfrm/xfrm_policy.c
--- linux-2.6.0-rc2-bk6.org/net/xfrm/xfrm_policy.c      2004-01-09 
12:42:53.000000000 -0800
+++ linux-2.6.0-rc2-bk6/net/xfrm/xfrm_policy.c  2004-01-12 09:55:26.000000000 
-0800
@@ -783,25 +783,27 @@

                                __set_task_state(tsk, TASK_INTERRUPTIBLE);
                                add_wait_queue(&km_waitq, &wait);
-                               err = xfrm_tmpl_resolve(policy, fl, xfrm, 
family);
-                               if (err == -EAGAIN)
+                               nx = xfrm_tmpl_resolve(policy, fl, xfrm, 
family);
+                               if (nx == -EAGAIN)
                                        schedule();
                                __set_task_state(tsk, TASK_RUNNING);
                                remove_wait_queue(&km_waitq, &wait);

-                               if (err == -EAGAIN && signal_pending(current)) {
+                               if (nx == -EAGAIN && signal_pending(current)) {
                                        err = -ERESTART;
                                        goto error;
                                }
-                               if (err == -EAGAIN ||
+                               if (nx == -EAGAIN ||
                                    genid != atomic_read(&flow_cache_genid)) {
                                        xfrm_pol_put(policy);
                                        goto restart;
                                }
+                               err = nx;
                        }
-                       if (err)
+                       if (err < 0)
                                goto error;
-               } else if (nx == 0) {
+               }
+               if (nx == 0) {
                        /* Flow passes not transformed. */
                        xfrm_pol_put(policy);
                        return 0;

<Prev in Thread]	Current Thread	[Next in Thread>
[PATCH] Bugs in xfrm, Krishna Kumar Re: [PATCH] Bugs in xfrm, David S. Miller Re: [PATCH] Bugs in xfrm, Krishna Kumar Re: [PATCH] Bugs in xfrm, David S. Miller [PATCH 1/5] ipcomp_tunnel_create doesn't set tunnel state, Krishna Kumar [PATCH 2/5] Bad dereference of xfrm_state in pf_key, Krishna Kumar Re: [PATCH 2/5] Bad dereference of xfrm_state in pf_key, David S. Miller [PATCH 3/5] xfrm_lookup bugs, Krishna Kumar <= Re: [PATCH 3/5] xfrm_lookup bugs, David S. Miller [PATCH 4/5] xfrm_state_construct doesn't set tunnel state, Krishna Kumar Re: [PATCH 4/5] xfrm_state_construct doesn't set tunnel state, David S. Miller [PATCH 5/5] schedule() bug in xfrm_lookup(), Krishna Kumar Re: [PATCH 5/5] schedule() bug in xfrm_lookup(), David S. Miller Re: [PATCH 1/5] ipcomp_tunnel_create doesn't set tunnel state, David S. Miller

Previous by Date:	[PATCH 2/5] Bad dereference of xfrm_state in pf_key, Krishna Kumar
Next by Date:	[PATCH 4/5] xfrm_state_construct doesn't set tunnel state, Krishna Kumar
Previous by Thread:	Re: [PATCH 2/5] Bad dereference of xfrm_state in pf_key, David S. Miller
Next by Thread:	Re: [PATCH 3/5] xfrm_lookup bugs, David S. Miller
Indexes:	[Date] [Thread] [Top] [All Lists]