[CRYPTO]: Fix stack overrun in crypt().

The stack allocation in crypt() is bogus as whether tmp_src/tmp_dst is used is determined by factors unrelated to nbytes and src->length/dst->length. Since the condition for whether tmp_src/tmp_dst are used is very complex, let's allocate them always instead of guessing. This fixes a number of weird crashes including those AES crashes that people have been seeing with the 2.4 backport + ipt_conntrack. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: David S. Miller <davem@redhat.com>

[CRYPTO]: Fix stack overrun in crypt().
The stack allocation in crypt() is bogus as whether tmp_src/tmp_dst is used is determined by factors unrelated to nbytes and src->length/dst->length. Since the condition for whether tmp_src/tmp_dst are used is very complex, let's allocate them always instead of guessing. This fixes a number of weird crashes including those AES crashes that people have been seeing with the 2.4 backport + ipt_conntrack. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: David S. Miller <davem@redhat.com>
e8bc549d · Herbert Xu · David S. Miller · 964eb7b1 · e8bc549d
Commit e8bc549d authored Jul 21, 2004 by Herbert Xu Committed by David S. Miller Jul 21, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

crypto/cipher.c crypto/cipher.c +2 -2

No files found.
--- a/crypto/cipher.c
+++ b/crypto/cipher.c
@@ -52,8 +52,8 @@ static int crypt(struct crypto_tfm *tfm,
 {
 	struct scatter_walk walk_in, walk_out;
 	const unsigned int bsize = crypto_tfm_alg_blocksize(tfm);
-	u8 tmp_src[nbytes > src->length ? bsize : 0];
+	u8 tmp_src[bsize];
-	u8 tmp_dst[nbytes > dst->length ? bsize : 0];
+	u8 tmp_dst[bsize];
 	if (!nbytes)
 		return 0;