Commit ef609c23 authored by Herbert Xu's avatar Herbert Xu

sunrpc: Fix skcipher/shash conversion

The skcpiher/shash conversion introduced a number of bugs in the
sunrpc code:

1) Missing calls to skcipher_request_set_tfm lead to crashes.
2) The allocation size of shash_desc is too small which leads to
memory corruption.

Fixes: 3b5cf20c ("sunrpc: Use skcipher and ahash/shash")
Reported-by: default avatarJ. Bruce Fields <bfields@fieldses.org>
Tested-by: default avatarJ. Bruce Fields <bfields@fieldses.org>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
parent 9735a227
...@@ -78,6 +78,7 @@ krb5_encrypt( ...@@ -78,6 +78,7 @@ krb5_encrypt(
memcpy(out, in, length); memcpy(out, in, length);
sg_init_one(sg, out, length); sg_init_one(sg, out, length);
skcipher_request_set_tfm(req, tfm);
skcipher_request_set_callback(req, 0, NULL, NULL); skcipher_request_set_callback(req, 0, NULL, NULL);
skcipher_request_set_crypt(req, sg, sg, length, local_iv); skcipher_request_set_crypt(req, sg, sg, length, local_iv);
...@@ -115,6 +116,7 @@ krb5_decrypt( ...@@ -115,6 +116,7 @@ krb5_decrypt(
memcpy(out, in, length); memcpy(out, in, length);
sg_init_one(sg, out, length); sg_init_one(sg, out, length);
skcipher_request_set_tfm(req, tfm);
skcipher_request_set_callback(req, 0, NULL, NULL); skcipher_request_set_callback(req, 0, NULL, NULL);
skcipher_request_set_crypt(req, sg, sg, length, local_iv); skcipher_request_set_crypt(req, sg, sg, length, local_iv);
...@@ -946,7 +948,8 @@ krb5_rc4_setup_seq_key(struct krb5_ctx *kctx, struct crypto_skcipher *cipher, ...@@ -946,7 +948,8 @@ krb5_rc4_setup_seq_key(struct krb5_ctx *kctx, struct crypto_skcipher *cipher,
return PTR_ERR(hmac); return PTR_ERR(hmac);
} }
desc = kmalloc(sizeof(*desc), GFP_KERNEL); desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(hmac),
GFP_KERNEL);
if (!desc) { if (!desc) {
dprintk("%s: failed to allocate shash descriptor for '%s'\n", dprintk("%s: failed to allocate shash descriptor for '%s'\n",
__func__, kctx->gk5e->cksum_name); __func__, kctx->gk5e->cksum_name);
...@@ -1012,7 +1015,8 @@ krb5_rc4_setup_enc_key(struct krb5_ctx *kctx, struct crypto_skcipher *cipher, ...@@ -1012,7 +1015,8 @@ krb5_rc4_setup_enc_key(struct krb5_ctx *kctx, struct crypto_skcipher *cipher,
return PTR_ERR(hmac); return PTR_ERR(hmac);
} }
desc = kmalloc(sizeof(*desc), GFP_KERNEL); desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(hmac),
GFP_KERNEL);
if (!desc) { if (!desc) {
dprintk("%s: failed to allocate shash descriptor for '%s'\n", dprintk("%s: failed to allocate shash descriptor for '%s'\n",
__func__, kctx->gk5e->cksum_name); __func__, kctx->gk5e->cksum_name);
......
...@@ -451,7 +451,8 @@ context_derive_keys_rc4(struct krb5_ctx *ctx) ...@@ -451,7 +451,8 @@ context_derive_keys_rc4(struct krb5_ctx *ctx)
goto out_err_free_hmac; goto out_err_free_hmac;
desc = kmalloc(sizeof(*desc), GFP_KERNEL); desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(hmac),
GFP_KERNEL);
if (!desc) { if (!desc) {
dprintk("%s: failed to allocate hash descriptor for '%s'\n", dprintk("%s: failed to allocate hash descriptor for '%s'\n",
__func__, ctx->gk5e->cksum_name); __func__, ctx->gk5e->cksum_name);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment