diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2004-07-31 09:33:16 -0700 |
---|---|---|
committer | David S. Miller <davem@nuts.davemloft.net> | 2004-07-31 09:33:16 -0700 |
commit | 3860b2810d0f5178a2be62541e516e8d8c968375 (patch) | |
tree | 1f0ced3c1e84490eb649db855a0711d76ddd0a63 /net | |
parent | 5eb968f95707988ced3badebac1ead6b2352b920 (diff) | |
download | history-3860b2810d0f5178a2be62541e516e8d8c968375.tar.gz |
[IPSEC]: xfrm_alloc_spi always succeeds on non-trivial range
xfrm_alloc_spi will always succeed if minspi < maxspi, even if
minspi + 1 == maxspi. If the range is already occupied this
will obviously lead to breakage.
Of course this is very unlikely to occur in reality due to the
size of the range. Although with IPCOMP it might actually happen
on a very large server.
The fix is obivous.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@redhat.com>
Diffstat (limited to 'net')
-rw-r--r-- | net/xfrm/xfrm_state.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index 1f57379203fd85..f45fa55c2c6c57 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -624,11 +624,12 @@ xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi) for (h=0; h<maxspi-minspi+1; h++) { spi = minspi + net_random()%(maxspi-minspi+1); x0 = xfrm_state_lookup(&x->id.daddr, htonl(spi), x->id.proto, x->props.family); - if (x0 == NULL) + if (x0 == NULL) { + x->id.spi = htonl(spi); break; + } xfrm_state_put(x0); } - x->id.spi = htonl(spi); } if (x->id.spi) { spin_lock_bh(&xfrm_state_lock); |