7921895a5e852fc99de347bc0600659997de9298 - kernel/msm-4.9

commit	7921895a5e852fc99de347bc0600659997de9298	[log] [tgz]
author	Daniel Borkmann <dborkman@redhat.com>	Mon Aug 05 12:49:35 2013 +0200
committer	David S. Miller <davem@davemloft.net>	Mon Aug 05 12:26:50 2013 -0700
tree	0806f91433c6a67fa20a679d9c5db4809cf981d9
parent	07ce76aa9bcf8bc106a53c67548c5602f1598595 [diff]

net: esp{4,6}: fix potential MTU calculation overflows

Commit 91657eafb ("xfrm: take net hdr len into account for esp payload
size calculation") introduced a possible interger overflow in
esp{4,6}_get_mtu() handlers in case of x->props.mode equals
XFRM_MODE_TUNNEL. Thus, the following expression will overflow

  unsigned int net_adj;
  ...
  <case ipv{4,6} XFRM_MODE_TUNNEL>
         net_adj = 0;
  ...
  return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
           net_adj) & ~(align - 1)) + (net_adj - 2);

where (net_adj - 2) would be evaluated as <foo> + (0 - 2) in an unsigned
context. Fix it by simply removing brackets as those operations here
do not need to have special precedence.

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Benjamin Poirier <bpoirier@suse.de>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Benjamin Poirier <bpoirier@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>

2 files changed

tree: 0806f91433c6a67fa20a679d9c5db4809cf981d9