net/tls: don't copy negative amounts of data in reencrypt

There is no guarantee the record starts before the skb frags. If we don't check for this condition copy amount will get negative, leading to reads and writes to random memory locations. Familiar hilarity ensues. Fixes: 4799ac81 ("tls: Add rx inline crypto offload") Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> Reviewed-by: John Hurley <john.hurley@netronome.com> Signed-off-by: David S. Miller <davem@davemloft.net>

net/tls: don't copy negative amounts of data in reencrypt
There is no guarantee the record starts before the skb frags. If we don't check for this condition copy amount will get negative, leading to reads and writes to random memory locations. Familiar hilarity ensues. Fixes: 4799ac81 ("tls: Add rx inline crypto offload") Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> Reviewed-by: John Hurley <john.hurley@netronome.com> Signed-off-by: David S. Miller <davem@davemloft.net>
97e1caa5 · Jakub Kicinski · David S. Miller · b2a20fd0 · 97e1caa5
Commit 97e1caa5 authored Apr 25, 2019 by Jakub Kicinski Committed by David S. Miller Apr 27, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 6 deletions

net/tls/tls_device.c net/tls/tls_device.c +8 -6

No files found.
--- a/net/tls/tls_device.c
+++ b/net/tls/tls_device.c
@@ -628,14 +628,16 @@ static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb)
 	else
 		err = 0;

-	copy = min_t(int, skb_pagelen(skb) - offset,
-		     rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE);
+	if (skb_pagelen(skb) > offset) {
+		copy = min_t(int, skb_pagelen(skb) - offset,
+			     rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE);

-	if (skb->decrypted)
-		skb_store_bits(skb, offset, buf, copy);
+		if (skb->decrypted)
+			skb_store_bits(skb, offset, buf, copy);

-	offset += copy;
-	buf += copy;
+		offset += copy;
+		buf += copy;
+	}

 	skb_walk_frags(skb, skb_iter) {
 		copy = min_t(int, skb_iter->len,