ah: Correctly pass error codes in ahash output callback.
authorNick Bowler <nbowler@elliptictech.com>
Tue, 8 Nov 2011 12:12:44 +0000 (12:12 +0000)
committerGreg Kroah-Hartman <gregkh@suse.de>
Thu, 26 Jan 2012 01:24:51 +0000 (17:24 -0800)
commit 069294e813ed5f27f82613b027609bcda5f1b914 upstream.

The AH4/6 ahash output callbacks pass nexthdr to xfrm_output_resume
instead of the error code.  This appears to be a copy+paste error from
the input case, where nexthdr is expected.  This causes the driver to
continuously add AH headers to the datagram until either an allocation
fails and the packet is dropped or the ahash driver hits a synchronous
fallback and the resulting monstrosity is transmitted.

Correct this issue by simply passing the error code unadulterated.

Signed-off-by: Nick Bowler <nbowler@elliptictech.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
net/ipv4/ah4.c
net/ipv6/ah6.c

index c1f4154552fc582320e276e6768831ed9ec32548..33ca18603e3bdb73bb762355d97e226fbc6fa311 100644 (file)
@@ -136,8 +136,6 @@ static void ah_output_done(struct crypto_async_request *base, int err)
                memcpy(top_iph+1, iph+1, top_iph->ihl*4 - sizeof(struct iphdr));
        }
 
-       err = ah->nexthdr;
-
        kfree(AH_SKB_CB(skb)->tmp);
        xfrm_output_resume(skb, err);
 }
index 2195ae651923e0e3242c3e61738fed91d19711ff..ede4d9d6cc2b6cd6e94dadcc7a17f4ef3d27a4b8 100644 (file)
@@ -324,8 +324,6 @@ static void ah6_output_done(struct crypto_async_request *base, int err)
 #endif
        }
 
-       err = ah->nexthdr;
-
        kfree(AH_SKB_CB(skb)->tmp);
        xfrm_output_resume(skb, err);
 }