[Swan-dev] odd code in linux/net/ipsec/ipsec_proc.c

[D. Hugh Redelmeier]

	if (sa_p->ips_iv_bits) {
		int j;
		seq_printf(seq, " iv_bits=%dbits iv=0x", sa_p->ips_iv_bits);

#ifdef CONFIG_KLIPS_OCF
		if (!sa_p->ips_iv) {
			/* ocf doesn't set the IV, fake it for the UML tests */
			seq_printf(seq, "0cf0");
			for (j = 0; j < (sa_p->ips_iv_bits / 8) - 2; j++)
				seq_printf(seq, "%02x", (int) ((((long)sa_p) >> j) & 0xff));
		} else
#endif
		for (j = 0; j < sa_p->ips_iv_bits / 8; j++)
			seq_printf(seq, "%02x", (__u32)((__u8*)(sa_p->ips_iv))[j]);
	}

notice that the seq_printf inside the first for prints a very odd value:

sa_p appears to be a pointer.

It casts the pointer to a long, shifts that long by j bits (even
though j is a byte count), and then masks it with 0xff.

Note that each time through the loop, j is increased by one.  Only if j
were increasing by 8 would this shift make any sense.

So what does this print?  Crap.

Why would you even want to print the pointer, or as many bytes of
pointer as there are bytes in the IV?

What is intended here?

Both for loops seem to assume that ips_iv_bits is a multiple of 8.  Is
that always true?

I'm guessing that
				seq_printf(seq, "%02x", 0);
makes as much sense as anything since the comment says that the IV isn't set.