| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1605326982-2487-1-git-send-email-vfedorenko@novek.ru>
Date: Sat, 14 Nov 2020 07:09:42 +0300
From: Vadim Fedorenko <vfedorenko@...ek.ru>
To: Jakub Kicinski <kuba@...nel.org>,
Boris Pismenny <borisp@...dia.com>,
Aviad Yehezkel <aviadye@...dia.com>
Cc: Vadim Fedorenko <vfedorenko@...ek.ru>, netdev@...r.kernel.org
Subject: [net] net/tls: fix corrupted data in recvmsg
If tcp socket has more data than Encrypted Handshake Message then
tls_sw_recvmsg will try to decrypt next record instead of returning
full control message to userspace as mentioned in comment. The next
message - usually Application Data - gets corrupted because it uses
zero copy for decryption that's why the data is not stored in skb
for next iteration. Disable zero copy for this case.
Fixes: 692d7b5d1f91 ("tls: Fix recvmsg() to be able to peek across multiple records")
Signed-off-by: Vadim Fedorenko <vfedorenko@...ek.ru>
---
net/tls/tls_sw.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 95ab5545..e040be1 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1808,6 +1808,7 @@ int tls_sw_recvmsg(struct sock *sk,
if (to_decrypt <= len && !is_kvec && !is_peek &&
ctx->control == TLS_RECORD_TYPE_DATA &&
+ (!control || ctx->control == control) &&
prot->version != TLS_1_3_VERSION &&
!bpf_strp_enabled)
zc = true;
--
1.8.3.1
Powered by blists - more mailing lists