aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJakub Kicinski <jakub.kicinski@netronome.com>2019-04-25 17:35:09 -0700
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2019-05-05 14:42:40 +0200
commitdd424182bc2d5af26b67f5885c182a02d00a18a6 (patch)
tree47a282280aba8eaaebfb9adc09607064186a4f1b
parentf1fd68e934091734c21e3ea21748d272f08b3fee (diff)
downloadlinux-yocto-dd424182bc2d5af26b67f5885c182a02d00a18a6.tar.gz
linux-yocto-dd424182bc2d5af26b67f5885c182a02d00a18a6.tar.bz2
linux-yocto-dd424182bc2d5af26b67f5885c182a02d00a18a6.zip
net/tls: don't copy negative amounts of data in reencrypt
[ Upstream commit 97e1caa517e22d62a283b876fb8aa5f4672c83dd ] There is no guarantee the record starts before the skb frags. If we don't check for this condition copy amount will get negative, leading to reads and writes to random memory locations. Familiar hilarity ensues. Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload") Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> Reviewed-by: John Hurley <john.hurley@netronome.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--net/tls/tls_device.c14
1 files changed, 8 insertions, 6 deletions
diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c
index c9588b682db4..8538ee22a582 100644
--- a/net/tls/tls_device.c
+++ b/net/tls/tls_device.c
@@ -600,14 +600,16 @@ static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb)
else
err = 0;
- copy = min_t(int, skb_pagelen(skb) - offset,
- rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE);
+ if (skb_pagelen(skb) > offset) {
+ copy = min_t(int, skb_pagelen(skb) - offset,
+ rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE);
- if (skb->decrypted)
- skb_store_bits(skb, offset, buf, copy);
+ if (skb->decrypted)
+ skb_store_bits(skb, offset, buf, copy);
- offset += copy;
- buf += copy;
+ offset += copy;
+ buf += copy;
+ }
skb_walk_frags(skb, skb_iter) {
copy = min_t(int, skb_iter->len,