Commit 7260042b authored by Lee Nipper's avatar Lee Nipper Committed by Herbert Xu

crypto: talitos - fix bug in sg_copy_end_to_buffer

In function sg_copy_end_to_buffer, too much data
is copied when a segment in the scatterlist
has .length greater than the requested copy length.

This patch adds the limit checks to fix this bug of over copying,
which affected only the ahash algorithms.
Signed-off-by: default avatarLee Nipper <lee.nipper@gmail.com>
Acked-by: default avatarKim Phillips <kim.phillips@freescale.com>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
parent 2716fbf6
...@@ -1183,10 +1183,14 @@ static size_t sg_copy_end_to_buffer(struct scatterlist *sgl, unsigned int nents, ...@@ -1183,10 +1183,14 @@ static size_t sg_copy_end_to_buffer(struct scatterlist *sgl, unsigned int nents,
/* Copy part of this segment */ /* Copy part of this segment */
ignore = skip - offset; ignore = skip - offset;
len = miter.length - ignore; len = miter.length - ignore;
if (boffset + len > buflen)
len = buflen - boffset;
memcpy(buf + boffset, miter.addr + ignore, len); memcpy(buf + boffset, miter.addr + ignore, len);
} else { } else {
/* Copy all of this segment */ /* Copy all of this segment (up to buflen) */
len = miter.length; len = miter.length;
if (boffset + len > buflen)
len = buflen - boffset;
memcpy(buf + boffset, miter.addr, len); memcpy(buf + boffset, miter.addr, len);
} }
boffset += len; boffset += len;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment