crypto: talitos - fix bug in sg_copy_end_to_buffer

In function sg_copy_end_to_buffer, too much data is copied when a segment in the scatterlist has .length greater than the requested copy length. This patch adds the limit checks to fix this bug of over copying, which affected only the ahash algorithms. Signed-off-by: Lee Nipper <lee.nipper@gmail.com> Acked-by: Kim Phillips <kim.phillips@freescale.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

crypto: talitos - fix bug in sg_copy_end_to_buffer
In function sg_copy_end_to_buffer, too much data is copied when a segment in the scatterlist has .length greater than the requested copy length. This patch adds the limit checks to fix this bug of over copying, which affected only the ahash algorithms. Signed-off-by: Lee Nipper <lee.nipper@gmail.com> Acked-by: Kim Phillips <kim.phillips@freescale.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
7260042b · Lee Nipper · Herbert Xu · 2716fbf6 · 7260042b
Commit 7260042b authored Jul 19, 2010 by Lee Nipper Committed by Herbert Xu Jul 19, 2010
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

drivers/crypto/talitos.c drivers/crypto/talitos.c +5 -1

No files found.
--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -1183,10 +1183,14 @@ static size_t sg_copy_end_to_buffer(struct scatterlist *sgl, unsigned int nents,
 				/* Copy part of this segment */
 				ignore = skip - offset;
 				len = miter.length - ignore;
+				if (boffset + len > buflen)
+					len = buflen - boffset;
 				memcpy(buf + boffset, miter.addr + ignore, len);
 			} else {
-				/* Copy all of this segment */
+				/* Copy all of this segment (up to buflen) */
 				len = miter.length;
+				if (boffset + len > buflen)
+					len = buflen - boffset;
 				memcpy(buf + boffset, miter.addr, len);
 			}
 			boffset += len;