releases/4.9.94/rxrpc-check-return-value-of-skb_to_sgvec-always.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 89a5ea99662505d2d61f2a3030a6896c2cb3cdb0 Mon Sep 17 00:00:00 2001
 From: "Jason A. Donenfeld" <Jason@zx2c4.com>
 Date: Sun, 4 Jun 2017 04:16:24 +0200
 Subject: rxrpc: check return value of skb_to_sgvec always

 From: Jason A. Donenfeld <Jason@zx2c4.com>

 commit 89a5ea99662505d2d61f2a3030a6896c2cb3cdb0 upstream.

 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
 Acked-by: David Howells <dhowells@redhat.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  net/rxrpc/rxkad.c |   19 ++++++++++++++-----
  1 file changed, 14 insertions(+), 5 deletions(-)

 --- a/net/rxrpc/rxkad.c
 +++ b/net/rxrpc/rxkad.c
 @@ -229,7 +229,9 @@ static int rxkad_secure_packet_encrypt(c
  	len &= ~(call->conn->size_align - 1);

  	sg_init_table(sg, nsg);
 -	skb_to_sgvec(skb, sg, 0, len);
 +	err = skb_to_sgvec(skb, sg, 0, len);
 +	if (unlikely(err < 0))
 +		goto out;
  	skcipher_request_set_crypt(req, sg, sg, len, iv.x);
  	crypto_skcipher_encrypt(req);

 @@ -325,7 +327,7 @@ static int rxkad_verify_packet_1(struct
  	struct sk_buff *trailer;
  	u32 data_size, buf;
  	u16 check;
 -	int nsg;
 +	int nsg, ret;

  	_enter("");

 @@ -342,7 +344,9 @@ static int rxkad_verify_packet_1(struct
  		goto nomem;

  	sg_init_table(sg, nsg);
 -	skb_to_sgvec(skb, sg, offset, 8);
 +	ret = skb_to_sgvec(skb, sg, offset, 8);
 +	if (unlikely(ret < 0))
 +		return ret;

  	/* start the decryption afresh */
  	memset(&iv, 0, sizeof(iv));
 @@ -405,7 +409,7 @@ static int rxkad_verify_packet_2(struct
  	struct sk_buff *trailer;
  	u32 data_size, buf;
  	u16 check;
 -	int nsg;
 +	int nsg, ret;

  	_enter(",{%d}", skb->len);

 @@ -429,7 +433,12 @@ static int rxkad_verify_packet_2(struct
  	}

  	sg_init_table(sg, nsg);
 -	skb_to_sgvec(skb, sg, offset, len);
 +	ret = skb_to_sgvec(skb, sg, offset, len);
 +	if (unlikely(ret < 0)) {
 +		if (sg != _sg)
 +			kfree(sg);
 +		return ret;
 +	}

  	/* decrypt from the session key */
  	token = call->conn->params.key->payload.data[0];
	From 89a5ea99662505d2d61f2a3030a6896c2cb3cdb0 Mon Sep 17 00:00:00 2001
	From: "Jason A. Donenfeld" <Jason@zx2c4.com>
	Date: Sun, 4 Jun 2017 04:16:24 +0200
	Subject: rxrpc: check return value of skb_to_sgvec always

	From: Jason A. Donenfeld <Jason@zx2c4.com>

	commit 89a5ea99662505d2d61f2a3030a6896c2cb3cdb0 upstream.

	Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
	Acked-by: David Howells <dhowells@redhat.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	net/rxrpc/rxkad.c \| 19 ++++++++++++++-----
	1 file changed, 14 insertions(+), 5 deletions(-)

	--- a/net/rxrpc/rxkad.c
	+++ b/net/rxrpc/rxkad.c
	@@ -229,7 +229,9 @@ static int rxkad_secure_packet_encrypt(c
	len &= ~(call->conn->size_align - 1);

	sg_init_table(sg, nsg);
	- skb_to_sgvec(skb, sg, 0, len);
	+ err = skb_to_sgvec(skb, sg, 0, len);
	+ if (unlikely(err < 0))
	+ goto out;
	skcipher_request_set_crypt(req, sg, sg, len, iv.x);
	crypto_skcipher_encrypt(req);

	@@ -325,7 +327,7 @@ static int rxkad_verify_packet_1(struct
	struct sk_buff *trailer;
	u32 data_size, buf;
	u16 check;
	- int nsg;
	+ int nsg, ret;

	_enter("");

	@@ -342,7 +344,9 @@ static int rxkad_verify_packet_1(struct
	goto nomem;

	sg_init_table(sg, nsg);
	- skb_to_sgvec(skb, sg, offset, 8);
	+ ret = skb_to_sgvec(skb, sg, offset, 8);
	+ if (unlikely(ret < 0))
	+ return ret;

	/* start the decryption afresh */
	memset(&iv, 0, sizeof(iv));
	@@ -405,7 +409,7 @@ static int rxkad_verify_packet_2(struct
	struct sk_buff *trailer;
	u32 data_size, buf;
	u16 check;
	- int nsg;
	+ int nsg, ret;

	_enter(",{%d}", skb->len);

	@@ -429,7 +433,12 @@ static int rxkad_verify_packet_2(struct
	}

	sg_init_table(sg, nsg);
	- skb_to_sgvec(skb, sg, offset, len);
	+ ret = skb_to_sgvec(skb, sg, offset, len);
	+ if (unlikely(ret < 0)) {
	+ if (sg != _sg)
	+ kfree(sg);
	+ return ret;
	+ }

	/* decrypt from the session key */
	token = call->conn->params.key->payload.data[0];