[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20190504102452.122933007@linuxfoundation.org>
Date: Sat, 4 May 2019 12:25:20 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org,
Jakub Kicinski <jakub.kicinski@...ronome.com>,
John Hurley <john.hurley@...ronome.com>,
"David S. Miller" <davem@...emloft.net>
Subject: [PATCH 4.19 18/23] net/tls: dont copy negative amounts of data in reencrypt
From: Jakub Kicinski <jakub.kicinski@...ronome.com>
[ Upstream commit 97e1caa517e22d62a283b876fb8aa5f4672c83dd ]
There is no guarantee the record starts before the skb frags.
If we don't check for this condition copy amount will get
negative, leading to reads and writes to random memory locations.
Familiar hilarity ensues.
Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload")
Signed-off-by: Jakub Kicinski <jakub.kicinski@...ronome.com>
Reviewed-by: John Hurley <john.hurley@...ronome.com>
Signed-off-by: David S. Miller <davem@...emloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
net/tls/tls_device.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
--- a/net/tls/tls_device.c
+++ b/net/tls/tls_device.c
@@ -600,14 +600,16 @@ static int tls_device_reencrypt(struct s
else
err = 0;
- copy = min_t(int, skb_pagelen(skb) - offset,
- rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE);
+ if (skb_pagelen(skb) > offset) {
+ copy = min_t(int, skb_pagelen(skb) - offset,
+ rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE);
- if (skb->decrypted)
- skb_store_bits(skb, offset, buf, copy);
+ if (skb->decrypted)
+ skb_store_bits(skb, offset, buf, copy);
- offset += copy;
- buf += copy;
+ offset += copy;
+ buf += copy;
+ }
skb_walk_frags(skb, skb_iter) {
copy = min_t(int, skb_iter->len,
Powered by blists - more mailing lists