releases/2.6.13.1/ipsec-oops-fix.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From stable-bounces@linux.kernel.org  Tue Sep  6 15:08:49 2005
 To: Krzysztof Oledzki <olel@ans.pl>
 From: Herbert Xu <herbert@gondor.apana.org.au>
 Cc: stable@kernel.org, "David S. Miller" <davem@davemloft.net>
 Subject: [CRYPTO] Fix boundary check in standard multi-block cipher processors

 [CRYPTO] Fix boundary check in standard multi-block cipher processors

 Fixes Bug 5194 (IPSec related Oops in 2.6.13).

 The boundary check in the standard multi-block cipher processors are
 broken when nbytes is not a multiple of bsize.  In those cases it will
 always process an extra block.

 This patch corrects the check so that it processes at most nbytes of data.

 Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
 Signed-off-by: Chris Wright <chrisw@osdl.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
 ---
  crypto/cipher.c |   12 +++++++++---
  1 files changed, 9 insertions(+), 3 deletions(-)

 Index: linux-2.6.13.y/crypto/cipher.c
 ===================================================================
 --- linux-2.6.13.y.orig/crypto/cipher.c
 +++ linux-2.6.13.y/crypto/cipher.c
 @@ -191,6 +191,8 @@ static unsigned int cbc_process_encrypt(
  	u8 *iv = desc->info;
  	unsigned int done = 0;

 +	nbytes -= bsize;
 +
  	do {
  		xor(iv, src);
  		fn(crypto_tfm_ctx(tfm), dst, iv);
 @@ -198,7 +200,7 @@ static unsigned int cbc_process_encrypt(

  		src += bsize;
  		dst += bsize;
 -	} while ((done += bsize) < nbytes);
 +	} while ((done += bsize) <= nbytes);

  	return done;
  }
 @@ -219,6 +221,8 @@ static unsigned int cbc_process_decrypt(
  	u8 *iv = desc->info;
  	unsigned int done = 0;

 +	nbytes -= bsize;
 +
  	do {
  		u8 *tmp_dst = *dst_p;

 @@ -230,7 +234,7 @@ static unsigned int cbc_process_decrypt(

  		src += bsize;
  		dst += bsize;
 -	} while ((done += bsize) < nbytes);
 +	} while ((done += bsize) <= nbytes);

  	return done;
  }
 @@ -243,12 +247,14 @@ static unsigned int ecb_process(const st
  	void (*fn)(void *, u8 *, const u8 *) = desc->crfn;
  	unsigned int done = 0;

 +	nbytes -= bsize;
 +
  	do {
  		fn(crypto_tfm_ctx(tfm), dst, src);

  		src += bsize;
  		dst += bsize;
 -	} while ((done += bsize) < nbytes);
 +	} while ((done += bsize) <= nbytes);

  	return done;
  }
	From stable-bounces@linux.kernel.org Tue Sep 6 15:08:49 2005
	To: Krzysztof Oledzki <olel@ans.pl>
	From: Herbert Xu <herbert@gondor.apana.org.au>
	Cc: stable@kernel.org, "David S. Miller" <davem@davemloft.net>
	Subject: [CRYPTO] Fix boundary check in standard multi-block cipher processors

	[CRYPTO] Fix boundary check in standard multi-block cipher processors

	Fixes Bug 5194 (IPSec related Oops in 2.6.13).

	The boundary check in the standard multi-block cipher processors are
	broken when nbytes is not a multiple of bsize. In those cases it will
	always process an extra block.

	This patch corrects the check so that it processes at most nbytes of data.

	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
	Signed-off-by: Chris Wright <chrisw@osdl.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
	---
	crypto/cipher.c \| 12 +++++++++---
	1 files changed, 9 insertions(+), 3 deletions(-)

	Index: linux-2.6.13.y/crypto/cipher.c
	===================================================================
	--- linux-2.6.13.y.orig/crypto/cipher.c
	+++ linux-2.6.13.y/crypto/cipher.c
	@@ -191,6 +191,8 @@ static unsigned int cbc_process_encrypt(
	u8 *iv = desc->info;
	unsigned int done = 0;

	+ nbytes -= bsize;
	+
	do {
	xor(iv, src);
	fn(crypto_tfm_ctx(tfm), dst, iv);
	@@ -198,7 +200,7 @@ static unsigned int cbc_process_encrypt(

	src += bsize;
	dst += bsize;
	- } while ((done += bsize) < nbytes);
	+ } while ((done += bsize) <= nbytes);

	return done;
	}
	@@ -219,6 +221,8 @@ static unsigned int cbc_process_decrypt(
	u8 *iv = desc->info;
	unsigned int done = 0;

	+ nbytes -= bsize;
	+
	do {
	u8 tmp_dst = dst_p;

	@@ -230,7 +234,7 @@ static unsigned int cbc_process_decrypt(

	src += bsize;
	dst += bsize;
	- } while ((done += bsize) < nbytes);
	+ } while ((done += bsize) <= nbytes);

	return done;
	}
	@@ -243,12 +247,14 @@ static unsigned int ecb_process(const st
	void (fn)(void , u8 , const u8 ) = desc->crfn;
	unsigned int done = 0;

	+ nbytes -= bsize;
	+
	do {
	fn(crypto_tfm_ctx(tfm), dst, src);

	src += bsize;
	dst += bsize;
	- } while ((done += bsize) < nbytes);
	+ } while ((done += bsize) <= nbytes);

	return done;
	}