From: Patrick McHardy Date: Mon, 9 Apr 2007 18:46:17 +0000 (-0700) Subject: [XFRM]: esp: fix skb_tail_pointer conversion bug X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=557922584d9c5b6b990bcfb2fec3134f0e73a05d;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git [XFRM]: esp: fix skb_tail_pointer conversion bug Fix incorrect switch of "trailer" skb by "skb" during skb_tail_pointer conversion: - *(u8*)(trailer->tail - 1) = top_iph->protocol; + *(skb_tail_pointer(skb) - 1) = top_iph->protocol; - *(u8 *)(trailer->tail - 1) = *skb_network_header(skb); + *(skb_tail_pointer(skb) - 1) = *skb_network_header(skb); Signed-off-by: Patrick McHardy Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: David S. Miller --- diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index 5e5613930ffb..bdc65d8af181 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c @@ -64,7 +64,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb) esph = (struct ip_esp_hdr *)(skb_network_header(skb) + top_iph->ihl * 4); top_iph->tot_len = htons(skb->len + alen); - *(skb_tail_pointer(skb) - 1) = top_iph->protocol; + *(skb_tail_pointer(trailer) - 1) = top_iph->protocol; /* this is non-NULL only with UDP Encapsulation */ if (x->encap) { diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index b8e8914cc002..6b76c4c31137 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c @@ -91,7 +91,7 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb) top_iph = (struct ipv6hdr *)__skb_push(skb, hdr_len); esph = (struct ipv6_esp_hdr *)skb_transport_header(skb); top_iph->payload_len = htons(skb->len + alen - sizeof(*top_iph)); - *(skb_tail_pointer(skb) - 1) = *skb_network_header(skb); + *(skb_tail_pointer(trailer) - 1) = *skb_network_header(skb); *skb_network_header(skb) = IPPROTO_ESP; esph->spi = x->id.spi;