Commit 3860b281 authored by Herbert Xu's avatar Herbert Xu Committed by David S. Miller

[IPSEC]: xfrm_alloc_spi always succeeds on non-trivial range

xfrm_alloc_spi will always succeed if minspi < maxspi, even if
minspi + 1 == maxspi.  If the range is already occupied this
will obviously lead to breakage.

Of course this is very unlikely to occur in reality due to the
size of the range.  Although with IPCOMP it might actually happen
on a very large server.

The fix is obivous.
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: default avatarDavid S. Miller <davem@redhat.com>
parent 5eb968f9
...@@ -624,11 +624,12 @@ xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi) ...@@ -624,11 +624,12 @@ xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi)
for (h=0; h<maxspi-minspi+1; h++) { for (h=0; h<maxspi-minspi+1; h++) {
spi = minspi + net_random()%(maxspi-minspi+1); spi = minspi + net_random()%(maxspi-minspi+1);
x0 = xfrm_state_lookup(&x->id.daddr, htonl(spi), x->id.proto, x->props.family); x0 = xfrm_state_lookup(&x->id.daddr, htonl(spi), x->id.proto, x->props.family);
if (x0 == NULL) if (x0 == NULL) {
x->id.spi = htonl(spi);
break; break;
}
xfrm_state_put(x0); xfrm_state_put(x0);
} }
x->id.spi = htonl(spi);
} }
if (x->id.spi) { if (x->id.spi) {
spin_lock_bh(&xfrm_state_lock); spin_lock_bh(&xfrm_state_lock);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment