Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S268025AbUIGMrA (ORCPT ); Tue, 7 Sep 2004 08:47:00 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S268024AbUIGMq7 (ORCPT ); Tue, 7 Sep 2004 08:46:59 -0400 Received: from arnor.apana.org.au ([203.14.152.115]:63760 "EHLO arnor.apana.org.au") by vger.kernel.org with ESMTP id S268019AbUIGMqv (ORCPT ); Tue, 7 Sep 2004 08:46:51 -0400 From: Herbert Xu To: util@deuroconsult.ro (Catalinux aka Dino BOIE) Subject: Re: [PATCH] Trivial fix for out of bounds array access in xfrm4_policy_check Cc: netdev@oss.sgi.com, linux-kernel@vger.kernel.org Organization: Core In-Reply-To: X-Newsgroups: apana.lists.os.linux.kernel,apana.lists.os.linux.netdev User-Agent: tin/1.7.4-20040225 ("Benbecula") (UNIX) (Linux/2.4.26-1-686-smp (i686)) Message-Id: Date: Tue, 07 Sep 2004 22:46:22 +1000 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 796 Lines: 22 Catalinux aka Dino BOIE wrote: > > Coverity found a bug in accessing xfrm4_policy_check using XFRM_POLICY_FWD > (=2) as index in sk->sk_policy. > > sk->sk_policy[] is defined in sock.h as: > > struct xfrm_policy *sk_policy[2]; > > Attached is the fix. This is bogus as if the packet is forwarded then sk == NULL. -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/