From 0f99be0d115a5716292c58dfdb20d2eddd0f3387 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Tue, 8 Jan 2008 23:39:06 -0800 Subject: [PATCH] [XFRM]: xfrm_algo_clone() allocates too much memory alg_key_len is the length in bits of the key, not in bytes. Best way to fix this is to move alg_len() function from net/xfrm/xfrm_user.c to include/net/xfrm.h, and to use it in xfrm_algo_clone() alg_len() is renamed to xfrm_alg_len() because of its global exposition. Signed-off-by: Eric Dumazet Signed-off-by: Herbert Xu Signed-off-by: David S. Miller --- include/net/xfrm.h | 7 ++++++- net/xfrm/xfrm_user.c | 17 ++++++----------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 58dfa82889aa..1dd20cf17982 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -1188,10 +1188,15 @@ static inline int xfrm_aevent_is_on(void) return ret; } +static inline int xfrm_alg_len(struct xfrm_algo *alg) +{ + return sizeof(*alg) + ((alg->alg_key_len + 7) / 8); +} + #ifdef CONFIG_XFRM_MIGRATE static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig) { - return (struct xfrm_algo *)kmemdup(orig, sizeof(*orig) + orig->alg_key_len, GFP_KERNEL); + return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL); } static inline void xfrm_states_put(struct xfrm_state **states, int n) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index e75dbdcb08a4..c4f6419b1769 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -31,11 +31,6 @@ #include #endif -static inline int alg_len(struct xfrm_algo *alg) -{ - return sizeof(*alg) + ((alg->alg_key_len + 7) / 8); -} - static int verify_one_alg(struct nlattr **attrs, enum xfrm_attr_type_t type) { struct nlattr *rt = attrs[type]; @@ -45,7 +40,7 @@ static int verify_one_alg(struct nlattr **attrs, enum xfrm_attr_type_t type) return 0; algp = nla_data(rt); - if (nla_len(rt) < alg_len(algp)) + if (nla_len(rt) < xfrm_alg_len(algp)) return -EINVAL; switch (type) { @@ -204,7 +199,7 @@ static int attach_one_algo(struct xfrm_algo **algpp, u8 *props, return -ENOSYS; *props = algo->desc.sadb_alg_id; - p = kmemdup(ualg, alg_len(ualg), GFP_KERNEL); + p = kmemdup(ualg, xfrm_alg_len(ualg), GFP_KERNEL); if (!p) return -ENOMEM; @@ -516,9 +511,9 @@ static int copy_to_user_state_extra(struct xfrm_state *x, NLA_PUT_U64(skb, XFRMA_LASTUSED, x->lastused); if (x->aalg) - NLA_PUT(skb, XFRMA_ALG_AUTH, alg_len(x->aalg), x->aalg); + NLA_PUT(skb, XFRMA_ALG_AUTH, xfrm_alg_len(x->aalg), x->aalg); if (x->ealg) - NLA_PUT(skb, XFRMA_ALG_CRYPT, alg_len(x->ealg), x->ealg); + NLA_PUT(skb, XFRMA_ALG_CRYPT, xfrm_alg_len(x->ealg), x->ealg); if (x->calg) NLA_PUT(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg); @@ -1978,9 +1973,9 @@ static inline size_t xfrm_sa_len(struct xfrm_state *x) { size_t l = 0; if (x->aalg) - l += nla_total_size(alg_len(x->aalg)); + l += nla_total_size(xfrm_alg_len(x->aalg)); if (x->ealg) - l += nla_total_size(alg_len(x->ealg)); + l += nla_total_size(xfrm_alg_len(x->ealg)); if (x->calg) l += nla_total_size(sizeof(*x->calg)); if (x->encap) -- 2.30.2