From 67d349ed603d5ce4a6f1722b1736e2bcef0e8690 Mon Sep 17 00:00:00 2001 From: Ilan Tayari Date: Sun, 30 Apr 2017 16:34:38 +0300 Subject: [PATCH] net/esp4: Fix invalid esph pointer crash Both esp_output and esp_xmit take a pointer to the ESP header and place it in esp_info struct prior to calling esp_output_head. Inside esp_output_head, the call to esp_output_udp_encap makes sure to update the pointer if it gets invalid. However, if esp_output_head itself calls skb_cow_data, the pointer is not updated and stays invalid, causing a crash after esp_output_head returns. Update the pointer if it becomes invalid in esp_output_head Fixes: fca11ebde3f0 ("esp4: Reorganize esp_output") Signed-off-by: Ilan Tayari Signed-off-by: David S. Miller --- net/ipv4/esp4.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index 7f2caf71212b..65cc02bd82bc 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c @@ -317,6 +317,7 @@ cow: if (nfrags < 0) goto out; tail = skb_tail_pointer(trailer); + esp->esph = ip_esp_hdr(skb); skip_cow: esp_output_fill_trailer(tail, esp->tfclen, esp->plen, esp->proto); -- 2.30.2