Commit 74da7792 authored by Dan Carpenter's avatar Dan Carpenter Committed by Jakub Kicinski

net/tcp_sigpool: Fix some off by one bugs

The "cpool_populated" variable is the number of elements in the cpool[]
array that have been populated.  It is incremented in
tcp_sigpool_alloc_ahash() every time we populate a new element.
Unpopulated elements are NULL but if we have populated every element then
this code will read one element beyond the end of the array.

Fixes: 8c73b263 ("net/tcp: Prepare tcp_md5sig_pool for TCP-AO")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: default avatarDmitry Safonov <dima@arista.com>
Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/ce915d61-04bc-44fb-b450-35fcc9fc8831@moroto.mountainSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent 19b3f72a
...@@ -231,7 +231,7 @@ static void cpool_schedule_cleanup(struct kref *kref) ...@@ -231,7 +231,7 @@ static void cpool_schedule_cleanup(struct kref *kref)
*/ */
void tcp_sigpool_release(unsigned int id) void tcp_sigpool_release(unsigned int id)
{ {
if (WARN_ON_ONCE(id > cpool_populated || !cpool[id].alg)) if (WARN_ON_ONCE(id >= cpool_populated || !cpool[id].alg))
return; return;
/* slow-path */ /* slow-path */
...@@ -245,7 +245,7 @@ EXPORT_SYMBOL_GPL(tcp_sigpool_release); ...@@ -245,7 +245,7 @@ EXPORT_SYMBOL_GPL(tcp_sigpool_release);
*/ */
void tcp_sigpool_get(unsigned int id) void tcp_sigpool_get(unsigned int id)
{ {
if (WARN_ON_ONCE(id > cpool_populated || !cpool[id].alg)) if (WARN_ON_ONCE(id >= cpool_populated || !cpool[id].alg))
return; return;
kref_get(&cpool[id].kref); kref_get(&cpool[id].kref);
} }
...@@ -256,7 +256,7 @@ int tcp_sigpool_start(unsigned int id, struct tcp_sigpool *c) __cond_acquires(RC ...@@ -256,7 +256,7 @@ int tcp_sigpool_start(unsigned int id, struct tcp_sigpool *c) __cond_acquires(RC
struct crypto_ahash *hash; struct crypto_ahash *hash;
rcu_read_lock_bh(); rcu_read_lock_bh();
if (WARN_ON_ONCE(id > cpool_populated || !cpool[id].alg)) { if (WARN_ON_ONCE(id >= cpool_populated || !cpool[id].alg)) {
rcu_read_unlock_bh(); rcu_read_unlock_bh();
return -EINVAL; return -EINVAL;
} }
...@@ -301,7 +301,7 @@ EXPORT_SYMBOL_GPL(tcp_sigpool_end); ...@@ -301,7 +301,7 @@ EXPORT_SYMBOL_GPL(tcp_sigpool_end);
*/ */
size_t tcp_sigpool_algo(unsigned int id, char *buf, size_t buf_len) size_t tcp_sigpool_algo(unsigned int id, char *buf, size_t buf_len)
{ {
if (WARN_ON_ONCE(id > cpool_populated || !cpool[id].alg)) if (WARN_ON_ONCE(id >= cpool_populated || !cpool[id].alg))
return -EINVAL; return -EINVAL;
return strscpy(buf, cpool[id].alg, buf_len); return strscpy(buf, cpool[id].alg, buf_len);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment