From: Patrick McHardy Date: Mon, 9 Apr 2007 18:46:17 +0000 (-0700) Subject: [XFRM]: esp: fix skb_tail_pointer conversion bug X-Git-Tag: v2.6.22-rc1~1128^2~136 X-Git-Url: http://pilppa.com/gitweb/?a=commitdiff_plain;h=557922584d9c5b6b990bcfb2fec3134f0e73a05d;p=linux-2.6-omap-h63xx.git [XFRM]: esp: fix skb_tail_pointer conversion bug Fix incorrect switch of "trailer" skb by "skb" during skb_tail_pointer conversion: - *(u8*)(trailer->tail - 1) = top_iph->protocol; + *(skb_tail_pointer(skb) - 1) = top_iph->protocol; - *(u8 *)(trailer->tail - 1) = *skb_network_header(skb); + *(skb_tail_pointer(skb) - 1) = *skb_network_header(skb); Signed-off-by: Patrick McHardy Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: David S. Miller --- diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index 5e5613930ff..bdc65d8af18 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c @@ -64,7 +64,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb) esph = (struct ip_esp_hdr *)(skb_network_header(skb) + top_iph->ihl * 4); top_iph->tot_len = htons(skb->len + alen); - *(skb_tail_pointer(skb) - 1) = top_iph->protocol; + *(skb_tail_pointer(trailer) - 1) = top_iph->protocol; /* this is non-NULL only with UDP Encapsulation */ if (x->encap) { diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index b8e8914cc00..6b76c4c3113 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c @@ -91,7 +91,7 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb) top_iph = (struct ipv6hdr *)__skb_push(skb, hdr_len); esph = (struct ipv6_esp_hdr *)skb_transport_header(skb); top_iph->payload_len = htons(skb->len + alen - sizeof(*top_iph)); - *(skb_tail_pointer(skb) - 1) = *skb_network_header(skb); + *(skb_tail_pointer(trailer) - 1) = *skb_network_header(skb); *skb_network_header(skb) = IPPROTO_ESP; esph->spi = x->id.spi;