提交 97e1caa5 编写于 作者: J Jakub Kicinski 提交者: David S. Miller

net/tls: don't copy negative amounts of data in reencrypt

There is no guarantee the record starts before the skb frags.
If we don't check for this condition copy amount will get
negative, leading to reads and writes to random memory locations.
Familiar hilarity ensues.

Fixes: 4799ac81 ("tls: Add rx inline crypto offload")
Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: NJohn Hurley <john.hurley@netronome.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 b2a20fd0
......@@ -628,6 +628,7 @@ static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb)
else
err = 0;
if (skb_pagelen(skb) > offset) {
copy = min_t(int, skb_pagelen(skb) - offset,
rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE);
......@@ -636,6 +637,7 @@ static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb)
offset += copy;
buf += copy;
}
skb_walk_frags(skb, skb_iter) {
copy = min_t(int, skb_iter->len,
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册