net/tls: don’t copy negative amounts of data in reencrypt [Linux 5.1]

net/tls: don’t copy negative amounts of data in reencrypt [Linux 5.1]

This Linux kernel change "net/tls: don’t copy negative amounts of data in reencrypt" is included in the Linux 5.1 release. This change is authored by Jakub Kicinski <jakub.kicinski [at] netronome.com> on Thu Apr 25 17:35:09 2019 -0700. The commit for this change in Linux stable tree is 97e1caa (patch).

net/tls: don't copy negative amounts of data in reencrypt

There is no guarantee the record starts before the skb frags.
If we don't check for this condition copy amount will get
negative, leading to reads and writes to random memory locations.
Familiar hilarity ensues.

Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: John Hurley <john.hurley@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

There are 14 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 net/tls/tls_device.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c
index cc02569..9635706 100644
--- a/net/tls/tls_device.c
+++ b/net/tls/tls_device.c
@@ -628,14 +628,16 @@ static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb)
    else
        err = 0;

-   copy = min_t(int, skb_pagelen(skb) - offset,
-            rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE);
+   if (skb_pagelen(skb) > offset) {
+       copy = min_t(int, skb_pagelen(skb) - offset,
+                rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE);

-   if (skb->decrypted)
-       skb_store_bits(skb, offset, buf, copy);
+       if (skb->decrypted)
+           skb_store_bits(skb, offset, buf, copy);

-   offset += copy;
-   buf += copy;
+       offset += copy;
+       buf += copy;
+   }

    skb_walk_frags(skb, skb_iter) {
        copy = min_t(int, skb_iter->len,

Leave a Reply

Your email address will not be published. Required fields are marked *