Commit e756682c authored by Steffen Klassert's avatar Steffen Klassert Committed by David S. Miller

xfrm: Fix off by one in the replay advance functions

We may write 4 byte too much when we reinitialize the anti replay
window in the replay advance functions. This patch fixes this by
adjusting the last index of the initialization loop.
Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 665c8c8e
...@@ -265,7 +265,7 @@ static void xfrm_replay_advance_bmp(struct xfrm_state *x, __be32 net_seq) ...@@ -265,7 +265,7 @@ static void xfrm_replay_advance_bmp(struct xfrm_state *x, __be32 net_seq)
bitnr = bitnr & 0x1F; bitnr = bitnr & 0x1F;
replay_esn->bmp[nr] |= (1U << bitnr); replay_esn->bmp[nr] |= (1U << bitnr);
} else { } else {
nr = replay_esn->replay_window >> 5; nr = (replay_esn->replay_window - 1) >> 5;
for (i = 0; i <= nr; i++) for (i = 0; i <= nr; i++)
replay_esn->bmp[i] = 0; replay_esn->bmp[i] = 0;
...@@ -471,7 +471,7 @@ static void xfrm_replay_advance_esn(struct xfrm_state *x, __be32 net_seq) ...@@ -471,7 +471,7 @@ static void xfrm_replay_advance_esn(struct xfrm_state *x, __be32 net_seq)
bitnr = bitnr & 0x1F; bitnr = bitnr & 0x1F;
replay_esn->bmp[nr] |= (1U << bitnr); replay_esn->bmp[nr] |= (1U << bitnr);
} else { } else {
nr = replay_esn->replay_window >> 5; nr = (replay_esn->replay_window - 1) >> 5;
for (i = 0; i <= nr; i++) for (i = 0; i <= nr; i++)
replay_esn->bmp[i] = 0; replay_esn->bmp[i] = 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment