[IPSEC]: xfrm_alloc_spi always succeeds on non-trivial range

xfrm_alloc_spi will always succeed if minspi < maxspi, even if minspi + 1 == maxspi. If the range is already occupied this will obviously lead to breakage. Of course this is very unlikely to occur in reality due to the size of the range. Although with IPCOMP it might actually happen on a very large server. The fix is obivous. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@redhat.com>
author: Herbert Xu <herbert@gondor.apana.org.au> 2004-07-31 09:33:16 -0700
committer: David S. Miller <davem@nuts.davemloft.net> 2004-07-31 09:33:16 -0700
commit: 3860b2810d0f5178a2be62541e516e8d8c968375 (patch)
tree: 1f0ced3c1e84490eb649db855a0711d76ddd0a63 /net
parent: 5eb968f95707988ced3badebac1ead6b2352b920 (diff)
download: history-3860b2810d0f5178a2be62541e516e8d8c968375.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 1f57379203fd85..f45fa55c2c6c57 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -624,11 +624,12 @@ xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi)
 		for (h=0; h<maxspi-minspi+1; h++) {
 			spi = minspi + net_random()%(maxspi-minspi+1);
 			x0 = xfrm_state_lookup(&x->id.daddr, htonl(spi), x->id.proto, x->props.family);
-			if (x0 == NULL)
+			if (x0 == NULL) {
+				x->id.spi = htonl(spi);
 				break;
+			}
 			xfrm_state_put(x0);
 		}
-		x->id.spi = htonl(spi);
 	}
 	if (x->id.spi) {
 		spin_lock_bh(&xfrm_state_lock);
author	Herbert Xu <herbert@gondor.apana.org.au>	2004-07-31 09:33:16 -0700
committer	David S. Miller <davem@nuts.davemloft.net>	2004-07-31 09:33:16 -0700
commit	3860b2810d0f5178a2be62541e516e8d8c968375 (patch)
tree	1f0ced3c1e84490eb649db855a0711d76ddd0a63 /net
parent	5eb968f95707988ced3badebac1ead6b2352b920 (diff)
download	history-3860b2810d0f5178a2be62541e516e8d8c968375.tar.gz