[XFRM]: esp: fix skb_tail_pointer conversion bug

Fix incorrect switch of "trailer" skb by "skb" during skb_tail_pointer
conversion:

-       *(u8*)(trailer->tail - 1) = top_iph->protocol;
+       *(skb_tail_pointer(skb) - 1) = top_iph->protocol;

-       *(u8 *)(trailer->tail - 1) = *skb_network_header(skb);
+       *(skb_tail_pointer(skb) - 1) = *skb_network_header(skb);

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 5e56139..bdc65d8 100644 (file)
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -64,7 +64,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
        esph = (struct ip_esp_hdr *)(skb_network_header(skb) +
                                     top_iph->ihl * 4);
        top_iph->tot_len = htons(skb->len + alen);
-       *(skb_tail_pointer(skb) - 1) = top_iph->protocol;
+       *(skb_tail_pointer(trailer) - 1) = top_iph->protocol;
 
        /* this is non-NULL only with UDP Encapsulation */
        if (x->encap) {

diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index b8e8914..6b76c4c 100644 (file)
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -91,7 +91,7 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb)
        top_iph = (struct ipv6hdr *)__skb_push(skb, hdr_len);
        esph = (struct ipv6_esp_hdr *)skb_transport_header(skb);
        top_iph->payload_len = htons(skb->len + alen - sizeof(*top_iph));
-       *(skb_tail_pointer(skb) - 1) = *skb_network_header(skb);
+       *(skb_tail_pointer(trailer) - 1) = *skb_network_header(skb);
        *skb_network_header(skb) = IPPROTO_ESP;
 
        esph->spi = x->id.spi;