Commit 97e1caa5 authored by Jakub Kicinski's avatar Jakub Kicinski Committed by David S. Miller

net/tls: don't copy negative amounts of data in reencrypt

There is no guarantee the record starts before the skb frags.
If we don't check for this condition copy amount will get
negative, leading to reads and writes to random memory locations.
Familiar hilarity ensues.

Fixes: 4799ac81 ("tls: Add rx inline crypto offload")
Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: default avatarJohn Hurley <john.hurley@netronome.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent b2a20fd0
...@@ -628,6 +628,7 @@ static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb) ...@@ -628,6 +628,7 @@ static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb)
else else
err = 0; err = 0;
if (skb_pagelen(skb) > offset) {
copy = min_t(int, skb_pagelen(skb) - offset, copy = min_t(int, skb_pagelen(skb) - offset,
rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE); rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE);
...@@ -636,6 +637,7 @@ static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb) ...@@ -636,6 +637,7 @@ static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb)
offset += copy; offset += copy;
buf += copy; buf += copy;
}
skb_walk_frags(skb, skb_iter) { skb_walk_frags(skb, skb_iter) {
copy = min_t(int, skb_iter->len, copy = min_t(int, skb_iter->len,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment