diff options
author | Doron Roberts-Kedes <doronrk@fb.com> | 2018-07-02 10:25:05 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2018-07-03 23:26:47 +0900 |
commit | 52ee6ef36ee10dd493cf2067311e56ca8015eb8d (patch) | |
tree | 3f6755391f5b5e541167ebd8a8c14065d9eeefb9 /net/tls/tls_sw.c | |
parent | c643ecf354e25ceeae14add9064d4d6253d75577 (diff) | |
download | lwn-52ee6ef36ee10dd493cf2067311e56ca8015eb8d.tar.gz lwn-52ee6ef36ee10dd493cf2067311e56ca8015eb8d.zip |
tls: fix skb_to_sgvec returning unhandled error.
The current code does not inspect the return value of skb_to_sgvec. This
can cause a nullptr kernel panic when the malformed sgvec is passed into
the crypto request.
Checking the return value of skb_to_sgvec and skipping decryption if it
is negative fixes this problem.
Fixes: c46234ebb4d1 ("tls: RX path for ktls")
Acked-by: Dave Watson <davejwatson@fb.com>
Signed-off-by: Doron Roberts-Kedes <doronrk@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/tls/tls_sw.c')
-rw-r--r-- | net/tls/tls_sw.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c index d2380548f8f6..7818011fd250 100644 --- a/net/tls/tls_sw.c +++ b/net/tls/tls_sw.c @@ -701,6 +701,10 @@ static int decrypt_skb(struct sock *sk, struct sk_buff *skb, nsg = skb_to_sgvec(skb, &sgin[1], rxm->offset + tls_ctx->rx.prepend_size, rxm->full_len - tls_ctx->rx.prepend_size); + if (nsg < 0) { + ret = nsg; + goto out; + } tls_make_aad(ctx->rx_aad_ciphertext, rxm->full_len - tls_ctx->rx.overhead_size, @@ -712,6 +716,7 @@ static int decrypt_skb(struct sock *sk, struct sk_buff *skb, rxm->full_len - tls_ctx->rx.overhead_size, skb, sk->sk_allocation); +out: if (sgin != &sgin_arr[0]) kfree(sgin); |