Skip to content

Commit e756682

Browse files
klassertdavem330
klassert
authored and
davem330
committed
xfrm: Fix off by one in the replay advance functions
We may write 4 byte too much when we reinitialize the anti replay window in the replay advance functions. This patch fixes this by adjusting the last index of the initialization loop. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 665c8c8 commit e756682

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

net/xfrm/xfrm_replay.c

+2-2
Original file line numberDiff line numberDiff line change
@@ -265,7 +265,7 @@ static void xfrm_replay_advance_bmp(struct xfrm_state *x, __be32 net_seq)
265265
bitnr = bitnr & 0x1F;
266266
replay_esn->bmp[nr] |= (1U << bitnr);
267267
} else {
268-
nr = replay_esn->replay_window >> 5;
268+
nr = (replay_esn->replay_window - 1) >> 5;
269269
for (i = 0; i <= nr; i++)
270270
replay_esn->bmp[i] = 0;
271271

@@ -471,7 +471,7 @@ static void xfrm_replay_advance_esn(struct xfrm_state *x, __be32 net_seq)
471471
bitnr = bitnr & 0x1F;
472472
replay_esn->bmp[nr] |= (1U << bitnr);
473473
} else {
474-
nr = replay_esn->replay_window >> 5;
474+
nr = (replay_esn->replay_window - 1) >> 5;
475475
for (i = 0; i <= nr; i++)
476476
replay_esn->bmp[i] = 0;
477477

0 commit comments

Comments
 (0)