| From stable-bounces@linux.kernel.org Tue Sep 6 15:08:49 2005 |
| To: Krzysztof Oledzki <olel@ans.pl> |
| From: Herbert Xu <herbert@gondor.apana.org.au> |
| Cc: stable@kernel.org, "David S. Miller" <davem@davemloft.net> |
| Subject: [CRYPTO] Fix boundary check in standard multi-block cipher processors |
| |
| [CRYPTO] Fix boundary check in standard multi-block cipher processors |
| |
| Fixes Bug 5194 (IPSec related Oops in 2.6.13). |
| |
| The boundary check in the standard multi-block cipher processors are |
| broken when nbytes is not a multiple of bsize. In those cases it will |
| always process an extra block. |
| |
| This patch corrects the check so that it processes at most nbytes of data. |
| |
| Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
| Signed-off-by: Chris Wright <chrisw@osdl.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| --- |
| crypto/cipher.c | 12 +++++++++--- |
| 1 files changed, 9 insertions(+), 3 deletions(-) |
| |
| Index: linux-2.6.13.y/crypto/cipher.c |
| =================================================================== |
| --- linux-2.6.13.y.orig/crypto/cipher.c |
| +++ linux-2.6.13.y/crypto/cipher.c |
| @@ -191,6 +191,8 @@ static unsigned int cbc_process_encrypt( |
| u8 *iv = desc->info; |
| unsigned int done = 0; |
| |
| + nbytes -= bsize; |
| + |
| do { |
| xor(iv, src); |
| fn(crypto_tfm_ctx(tfm), dst, iv); |
| @@ -198,7 +200,7 @@ static unsigned int cbc_process_encrypt( |
| |
| src += bsize; |
| dst += bsize; |
| - } while ((done += bsize) < nbytes); |
| + } while ((done += bsize) <= nbytes); |
| |
| return done; |
| } |
| @@ -219,6 +221,8 @@ static unsigned int cbc_process_decrypt( |
| u8 *iv = desc->info; |
| unsigned int done = 0; |
| |
| + nbytes -= bsize; |
| + |
| do { |
| u8 *tmp_dst = *dst_p; |
| |
| @@ -230,7 +234,7 @@ static unsigned int cbc_process_decrypt( |
| |
| src += bsize; |
| dst += bsize; |
| - } while ((done += bsize) < nbytes); |
| + } while ((done += bsize) <= nbytes); |
| |
| return done; |
| } |
| @@ -243,12 +247,14 @@ static unsigned int ecb_process(const st |
| void (*fn)(void *, u8 *, const u8 *) = desc->crfn; |
| unsigned int done = 0; |
| |
| + nbytes -= bsize; |
| + |
| do { |
| fn(crypto_tfm_ctx(tfm), dst, src); |
| |
| src += bsize; |
| dst += bsize; |
| - } while ((done += bsize) < nbytes); |
| + } while ((done += bsize) <= nbytes); |
| |
| return done; |
| } |