[stable] Patch "xfrm: Fix off by one in the replay advance functions" has been added to the 2.6.39-stable tree

Thu, 07 Jul 2011 16:47:25 -0700 

This is a note to let you know that I've just added the patch titled

    xfrm: Fix off by one in the replay advance functions

to the 2.6.39-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     xfrm-fix-off-by-one-in-the-replay-advance-functions.patch
and it can be found in the queue-2.6.39 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.


>From 989d4bc59dbb997b5a17ff252eb3d1014c47102b Mon Sep 17 00:00:00 2001
From: Steffen Klassert <[email protected]>
Date: Sun, 5 Jun 2011 20:46:03 +0000
Subject: xfrm: Fix off by one in the replay advance functions


From: Steffen Klassert <[email protected]>

[ Upstream commit e756682c8baa47da1648c0c016e9f48ed66bc32d ]

We may write 4 byte too much when we reinitialize the anti replay
window in the replay advance functions. This patch fixes this by
adjusting the last index of the initialization loop.

Signed-off-by: Steffen Klassert <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
 net/xfrm/xfrm_replay.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/xfrm/xfrm_replay.c
+++ b/net/xfrm/xfrm_replay.c
@@ -265,7 +265,7 @@ static void xfrm_replay_advance_bmp(stru
                        bitnr = bitnr & 0x1F;
                        replay_esn->bmp[nr] |= (1U << bitnr);
                } else {
-                       nr = replay_esn->replay_window >> 5;
+                       nr = (replay_esn->replay_window - 1) >> 5;
                        for (i = 0; i <= nr; i++)
                                replay_esn->bmp[i] = 0;
 
@@ -471,7 +471,7 @@ static void xfrm_replay_advance_esn(stru
                        bitnr = bitnr & 0x1F;
                        replay_esn->bmp[nr] |= (1U << bitnr);
                } else {
-                       nr = replay_esn->replay_window >> 5;
+                       nr = (replay_esn->replay_window - 1) >> 5;
                        for (i = 0; i <= nr; i++)
                                replay_esn->bmp[i] = 0;
 


Patches currently in stable-queue which might be from 
[email protected] are

queue-2.6.39/xfrm-fix-off-by-one-in-the-replay-advance-functions.patch

_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable

Reply via email to