From: Chris Wright <chrisw@osdl.org>
To: linux-kernel@vger.kernel.org, stable@kernel.org,
Krzysztof Oledzki <olel@ans.pl>
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk,
"David S. Miller" <davem@davemloft.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
Chris Wright <chrisw@osdl.org>
Subject: [PATCH 6/9] [CRYPTO] Fix boundary check in standard multi-block cipher processors
Date: Wed, 07 Sep 2005 18:28:48 -0700 [thread overview]
Message-ID: <20050908012901.227702000@localhost.localdomain> (raw)
In-Reply-To: 20050908012842.299637000@localhost.localdomain
[-- Attachment #1: ipsec-oops-fix.patch --]
[-- Type: text/plain, Size: 1929 bytes --]
-stable review patch. If anyone has any objections, please let us know.
------------------
[CRYPTO] Fix boundary check in standard multi-block cipher processors
Fixes Bug 5194 (IPSec related Oops in 2.6.13).
The boundary check in the standard multi-block cipher processors are
broken when nbytes is not a multiple of bsize. In those cases it will
always process an extra block.
This patch corrects the check so that it processes at most nbytes of data.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Chris Wright <chrisw@osdl.org>
---
crypto/cipher.c | 12 +++++++++---
1 files changed, 9 insertions(+), 3 deletions(-)
Index: linux-2.6.13.y/crypto/cipher.c
===================================================================
--- linux-2.6.13.y.orig/crypto/cipher.c
+++ linux-2.6.13.y/crypto/cipher.c
@@ -191,6 +191,8 @@ static unsigned int cbc_process_encrypt(
u8 *iv = desc->info;
unsigned int done = 0;
+ nbytes -= bsize;
+
do {
xor(iv, src);
fn(crypto_tfm_ctx(tfm), dst, iv);
@@ -198,7 +200,7 @@ static unsigned int cbc_process_encrypt(
src += bsize;
dst += bsize;
- } while ((done += bsize) < nbytes);
+ } while ((done += bsize) <= nbytes);
return done;
}
@@ -219,6 +221,8 @@ static unsigned int cbc_process_decrypt(
u8 *iv = desc->info;
unsigned int done = 0;
+ nbytes -= bsize;
+
do {
u8 *tmp_dst = *dst_p;
@@ -230,7 +234,7 @@ static unsigned int cbc_process_decrypt(
src += bsize;
dst += bsize;
- } while ((done += bsize) < nbytes);
+ } while ((done += bsize) <= nbytes);
return done;
}
@@ -243,12 +247,14 @@ static unsigned int ecb_process(const st
void (*fn)(void *, u8 *, const u8 *) = desc->crfn;
unsigned int done = 0;
+ nbytes -= bsize;
+
do {
fn(crypto_tfm_ctx(tfm), dst, src);
src += bsize;
dst += bsize;
- } while ((done += bsize) < nbytes);
+ } while ((done += bsize) <= nbytes);
return done;
}
--
next prev parent reply other threads:[~2005-09-08 1:31 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-09-08 1:28 [PATCH 0/9] -stable review Chris Wright
2005-09-08 1:28 ` [PATCH 1/9] [PATCH] Kconfig: saa7134-dvb must select tda1004x Chris Wright
2005-09-08 1:28 ` [PATCH 2/9] [PATCH] aacraid: 2.6.13 aacraid bad BUG_ON fix Chris Wright
2005-09-08 1:28 ` [PATCH 3/9] [PATCH] Fix PCI ROM mapping Chris Wright
2005-09-08 1:28 ` [PATCH 4/9] [PATCH] x86: pci_assign_unassigned_resources() update Chris Wright
2005-09-08 1:28 ` [PATCH 5/9] [NET]: 2.6.13 breaks libpcap (and tcpdump) Chris Wright
2005-09-08 1:28 ` Chris Wright [this message]
2005-09-08 1:28 ` [PATCH 7/9] [RTC]: Use SA_SHIRQ in sparc specific code Chris Wright
2005-09-08 1:28 ` [PATCH 8/9] [IPV4]: Reassembly trim not clearing CHECKSUM_HW Chris Wright
2005-09-08 1:28 ` [PATCH 9/9] [PATCH] 32bit sendmsg() flaw (CAN-2005-2490) Chris Wright
2005-09-09 6:37 ` Chris Wright
2005-09-09 6:43 ` [PATCH 10/9] raw_sendmsg DoS (CAN-2005-2492) Chris Wright
2005-09-09 12:13 ` [PATCH 0/9] -stable review Henrik Persson
2005-09-09 16:05 ` Chris Wright
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050908012901.227702000@localhost.localdomain \
--to=chrisw@osdl.org \
--cc=akpm@osdl.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=chuckw@quantumlinux.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=olel@ans.pl \
--cc=rdunlap@xenotime.net \
--cc=stable@kernel.org \
--cc=torvalds@osdl.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox