| From foo@baz Sat 04 May 2019 09:23:44 AM CEST |
| From: Jakub Kicinski <jakub.kicinski@netronome.com> |
| Date: Thu, 25 Apr 2019 17:35:09 -0700 |
| Subject: net/tls: don't copy negative amounts of data in reencrypt |
| |
| From: Jakub Kicinski <jakub.kicinski@netronome.com> |
| |
| [ Upstream commit 97e1caa517e22d62a283b876fb8aa5f4672c83dd ] |
| |
| There is no guarantee the record starts before the skb frags. |
| If we don't check for this condition copy amount will get |
| negative, leading to reads and writes to random memory locations. |
| Familiar hilarity ensues. |
| |
| Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload") |
| Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> |
| Reviewed-by: John Hurley <john.hurley@netronome.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/tls/tls_device.c | 14 ++++++++------ |
| 1 file changed, 8 insertions(+), 6 deletions(-) |
| |
| --- a/net/tls/tls_device.c |
| +++ b/net/tls/tls_device.c |
| @@ -600,14 +600,16 @@ static int tls_device_reencrypt(struct s |
| else |
| err = 0; |
| |
| - copy = min_t(int, skb_pagelen(skb) - offset, |
| - rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE); |
| + if (skb_pagelen(skb) > offset) { |
| + copy = min_t(int, skb_pagelen(skb) - offset, |
| + rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE); |
| |
| - if (skb->decrypted) |
| - skb_store_bits(skb, offset, buf, copy); |
| + if (skb->decrypted) |
| + skb_store_bits(skb, offset, buf, copy); |
| |
| - offset += copy; |
| - buf += copy; |
| + offset += copy; |
| + buf += copy; |
| + } |
| |
| skb_walk_frags(skb, skb_iter) { |
| copy = min_t(int, skb_iter->len, |