shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-07 19:30:30 +09:00
Code Issues Packages Projects Releases Wiki Activity

net/tls: don't copy negative amounts of data in reencrypt

Browse Source 
[ Upstream commit 97e1caa517 ]

There is no guarantee the record starts before the skb frags.
If we don't check for this condition copy amount will get
negative, leading to reads and writes to random memory locations.
Familiar hilarity ensues.

Fixes: 4799ac81e5 ("tls: Add rx inline crypto offload")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: John Hurley <john.hurley@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Jakub Kicinski
2019-04-25 17:35:09 -07:00
committed by Greg Kroah-Hartman
parent f1fd68e934
commit dd424182bc
1 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
net/tls/tls_device.c
View File

@@ -600,14 +600,16 @@ static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb)
else
err = 0;
copy = min_t(int, skb_pagelen(skb) - offset,
rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE);
if (skb_pagelen(skb) > offset) {
copy = min_t(int, skb_pagelen(skb) - offset,
rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE);
if (skb->decrypted)
skb_store_bits(skb, offset, buf, copy);
if (skb->decrypted)
skb_store_bits(skb, offset, buf, copy);
offset += copy;
buf += copy;
offset += copy;
buf += copy;
}
skb_walk_frags(skb, skb_iter) {
copy = min_t(int, skb_iter->len,