From: Herbert Xu <herbert@gondor.apana.org.au>
Date: Tue, 30 Sep 2008 09:03:19 +0000 (-0700)
Subject: ipsec: Fix pskb_expand_head corruption in xfrm_state_check_space
X-Git-Tag: v2.6.26.6~16
X-Git-Url: https://git.fsl.cs.sunysb.edu/?a=commitdiff_plain;h=b047cf6dfa81ca03b62f2e3ae63793ef5c300158;p=unionfs-2.6.39.y.git

ipsec: Fix pskb_expand_head corruption in xfrm_state_check_space

[ Upstream commit d01dbeb6af7a0848063033f73c3d146fec7451f3 ]

We're never supposed to shrink the headroom or tailroom.  In fact,
shrinking the headroom is a fatal action.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index 3f964db908a..5360c86e95e 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -27,10 +27,14 @@ static int xfrm_state_check_space(struct xfrm_state *x, struct sk_buff *skb)
 		- skb_headroom(skb);
 	int ntail = dst->dev->needed_tailroom - skb_tailroom(skb);
 
-	if (nhead > 0 || ntail > 0)
-		return pskb_expand_head(skb, nhead, ntail, GFP_ATOMIC);
-
-	return 0;
+	if (nhead <= 0) {
+		if (ntail <= 0)
+			return 0;
+		nhead = 0;
+	} else if (ntail < 0)
+		ntail = 0;
+
+	return pskb_expand_head(skb, nhead, ntail, GFP_ATOMIC);
 }
 
 static int xfrm_output_one(struct sk_buff *skb, int err)