[IPSEC]: Check xfrm state expiration on input after replay check.

de2d745b · Jean-Francois Dive · David S. Miller · 570f6c65 · de2d745b · de2d745b
Commit de2d745b authored Apr 10, 2003 by Jean-Francois Dive Committed by David S. Miller Apr 10, 2003
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

net/ipv4/xfrm4_input.c net/ipv4/xfrm4_input.c +3 -0

net/ipv6/xfrm6_input.c net/ipv6/xfrm6_input.c +3 -0

No files found.
--- a/net/ipv4/xfrm4_input.c
+++ b/net/ipv4/xfrm4_input.c
@@ -48,6 +48,9 @@ int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type)
 		if (x->props.replay_window && xfrm_replay_check(x, seq))
 			goto drop_unlock;

+		if (xfrm_state_check_expire(x))
+			goto drop_unlock;
+
 		xfrm_vec[xfrm_nr].decap.decap_type = encap_type;
 		if (x->type->input(x, &(xfrm_vec[xfrm_nr].decap), skb))
 			goto drop_unlock;

--- a/net/ipv6/xfrm6_input.c
+++ b/net/ipv6/xfrm6_input.c
@@ -172,6 +172,9 @@ int xfrm6_rcv(struct sk_buff **pskb)
 		if (x->props.replay_window && xfrm_replay_check(x, seq))
 			goto drop_unlock;

+		if (xfrm_state_check_expire(x))
+			goto drop_unlock;
+
 		nexthdr = x->type->input(x, &(xfrm_vec[xfrm_nr].decap), skb);
 		if (nexthdr <= 0)
 			goto drop_unlock;