Commit e8bc549d authored by Herbert Xu's avatar Herbert Xu Committed by David S. Miller

[CRYPTO]: Fix stack overrun in crypt().

The stack allocation in crypt() is bogus as whether tmp_src/tmp_dst
is used is determined by factors unrelated to nbytes and
src->length/dst->length.

Since the condition for whether tmp_src/tmp_dst are used is very
complex, let's allocate them always instead of guessing.

This fixes a number of weird crashes including those AES crashes
that people have been seeing with the 2.4 backport + ipt_conntrack.
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: default avatarJames Morris <jmorris@redhat.com>
Signed-off-by: default avatarDavid S. Miller <davem@redhat.com>
parent 964eb7b1
...@@ -52,8 +52,8 @@ static int crypt(struct crypto_tfm *tfm, ...@@ -52,8 +52,8 @@ static int crypt(struct crypto_tfm *tfm,
{ {
struct scatter_walk walk_in, walk_out; struct scatter_walk walk_in, walk_out;
const unsigned int bsize = crypto_tfm_alg_blocksize(tfm); const unsigned int bsize = crypto_tfm_alg_blocksize(tfm);
u8 tmp_src[nbytes > src->length ? bsize : 0]; u8 tmp_src[bsize];
u8 tmp_dst[nbytes > dst->length ? bsize : 0]; u8 tmp_dst[bsize];
if (!nbytes) if (!nbytes)
return 0; return 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment