| From 89a5ea99662505d2d61f2a3030a6896c2cb3cdb0 Mon Sep 17 00:00:00 2001 |
| From: "Jason A. Donenfeld" <Jason@zx2c4.com> |
| Date: Sun, 4 Jun 2017 04:16:24 +0200 |
| Subject: rxrpc: check return value of skb_to_sgvec always |
| |
| From: Jason A. Donenfeld <Jason@zx2c4.com> |
| |
| commit 89a5ea99662505d2d61f2a3030a6896c2cb3cdb0 upstream. |
| |
| Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> |
| Acked-by: David Howells <dhowells@redhat.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Nathan Chancellor <natechancellor@gmail.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| net/rxrpc/rxkad.c | 19 ++++++++++++++----- |
| 1 file changed, 14 insertions(+), 5 deletions(-) |
| |
| --- a/net/rxrpc/rxkad.c |
| +++ b/net/rxrpc/rxkad.c |
| @@ -229,7 +229,9 @@ static int rxkad_secure_packet_encrypt(c |
| len &= ~(call->conn->size_align - 1); |
| |
| sg_init_table(sg, nsg); |
| - skb_to_sgvec(skb, sg, 0, len); |
| + err = skb_to_sgvec(skb, sg, 0, len); |
| + if (unlikely(err < 0)) |
| + goto out; |
| skcipher_request_set_crypt(req, sg, sg, len, iv.x); |
| crypto_skcipher_encrypt(req); |
| |
| @@ -325,7 +327,7 @@ static int rxkad_verify_packet_1(struct |
| struct sk_buff *trailer; |
| u32 data_size, buf; |
| u16 check; |
| - int nsg; |
| + int nsg, ret; |
| |
| _enter(""); |
| |
| @@ -342,7 +344,9 @@ static int rxkad_verify_packet_1(struct |
| goto nomem; |
| |
| sg_init_table(sg, nsg); |
| - skb_to_sgvec(skb, sg, offset, 8); |
| + ret = skb_to_sgvec(skb, sg, offset, 8); |
| + if (unlikely(ret < 0)) |
| + return ret; |
| |
| /* start the decryption afresh */ |
| memset(&iv, 0, sizeof(iv)); |
| @@ -405,7 +409,7 @@ static int rxkad_verify_packet_2(struct |
| struct sk_buff *trailer; |
| u32 data_size, buf; |
| u16 check; |
| - int nsg; |
| + int nsg, ret; |
| |
| _enter(",{%d}", skb->len); |
| |
| @@ -429,7 +433,12 @@ static int rxkad_verify_packet_2(struct |
| } |
| |
| sg_init_table(sg, nsg); |
| - skb_to_sgvec(skb, sg, offset, len); |
| + ret = skb_to_sgvec(skb, sg, offset, len); |
| + if (unlikely(ret < 0)) { |
| + if (sg != _sg) |
| + kfree(sg); |
| + return ret; |
| + } |
| |
| /* decrypt from the session key */ |
| token = call->conn->params.key->payload.data[0]; |