• Jakub Kicinski's avatar
    net: skmsg: fix TLS 1.3 crash with full sk_msg · 031097d9
    Jakub Kicinski authored
    TLS 1.3 started using the entry at the end of the SG array
    for chaining-in the single byte content type entry. This mostly
    works:
    
    [ E E E E E E . . ]
      ^           ^
       start       end
    
                     E < content type
                   /
    [ E E E E E E C . ]
      ^           ^
       start       end
    
    (Where E denotes a populated SG entry; C denotes a chaining entry.)
    
    If the array is full, however, the end will point to the start:
    
    [ E E E E E E E E ]
      ^
       start
       end
    
    And we end up overwriting the start:
    
        E < content type
       /
    [ C E E E E E E E ]
      ^
       start
       end
    
    The sg array is supposed to be a circular buffer with start and
    end markers pointing anywhere. In case where start > end
    (i.e. the circular buffer has "wrapped") there is an extra entry
    reserved at the end to chain the two halves together.
    
    [ E E E E E E . . l ]
    
    (Where l is the reserved entry for "looping" back to front.
    
    As suggested by John, let's reserve another entry for chaining
    SG entries after the main circular buffer. Note that this entry
    has to be pointed to by the end entry so its position is not fixed.
    
    Examples of full messages:
    
    [ E E E E E E E E . l ]
      ^               ^
       start           end
    
       <---------------.
    [ E E . E E E E E E l ]
          ^ ^
       end   start
    
    Now the end will always point to an unused entry, so TLS 1.3
    can always use it.
    
    Fixes: 130b392c ("net: tls: Add tls 1.3 support")
    Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
    Reviewed-by: default avatarSimon Horman <simon.horman@netronome.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    031097d9
tcp_bpf.c 15.6 KB