From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.0 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS, T_DKIMWL_WL_HIGH,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 36ECCC43219 for ; Sat, 4 May 2019 10:27:35 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 09A382085A for ; Sat, 4 May 2019 10:27:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556965655; bh=BWFpvBSdMj8bWjVZXoTbFZTlv7FHBpF4S9q60QRo7h8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=1k76916CKb6SvrhmVaORyxRau7ugWSvGQibLWXCDvOKT9pVVAkzVXS9cZosvsWZCr rh7gvD1aGkMP79PRaQY0hmJwgvQCFjfHKhpDGjTZIDN6s4sdkIgMyu4Jrn1K1o3km7 5qVLxtFle3xIzJDXP9Tw7ayanj4t7/JFgry6k7VQ= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728201AbfEDK1d (ORCPT ); Sat, 4 May 2019 06:27:33 -0400 Received: from mail.kernel.org ([198.145.29.99]:37666 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728188AbfEDK13 (ORCPT ); Sat, 4 May 2019 06:27:29 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9885F206BB; Sat, 4 May 2019 10:27:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556965648; bh=BWFpvBSdMj8bWjVZXoTbFZTlv7FHBpF4S9q60QRo7h8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=eXgeNYmK1SidtSHLdoAYl0a0MKVxv7S7QOko7XQFmSGPl0DlJzPXWhrweNFRn7Gq1 2GCMUkoxGBd78ocJhG37WkqkgKsUnRcJInyEqdxh640x6FKMtbfskFJAze4XKImscr O4Y3VympAzc6FslKUxqXK9oz1SVzzTqic+TbyJzw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jakub Kicinski , John Hurley , "David S. Miller" Subject: [PATCH 4.19 19/23] net/tls: fix copy to fragments in reencrypt Date: Sat, 4 May 2019 12:25:21 +0200 Message-Id: <20190504102452.152806399@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190504102451.512405835@linuxfoundation.org> References: <20190504102451.512405835@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jakub Kicinski [ Upstream commit eb3d38d5adb520435d4e4af32529ccb13ccc9935 ] Fragments may contain data from other records so we have to account for that when we calculate the destination and max length of copy we can perform. Note that 'offset' is the offset within the message, so it can't be passed as offset within the frag.. Here skb_store_bits() would have realised the call is wrong and simply not copy data. Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload") Signed-off-by: Jakub Kicinski Reviewed-by: John Hurley Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/tls/tls_device.c | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) --- a/net/tls/tls_device.c +++ b/net/tls/tls_device.c @@ -569,7 +569,7 @@ void handle_device_resync(struct sock *s static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb) { struct strp_msg *rxm = strp_msg(skb); - int err = 0, offset = rxm->offset, copy, nsg; + int err = 0, offset = rxm->offset, copy, nsg, data_len, pos; struct sk_buff *skb_iter, *unused; struct scatterlist sg[1]; char *orig_buf, *buf; @@ -600,9 +600,10 @@ static int tls_device_reencrypt(struct s else err = 0; + data_len = rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE; + if (skb_pagelen(skb) > offset) { - copy = min_t(int, skb_pagelen(skb) - offset, - rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE); + copy = min_t(int, skb_pagelen(skb) - offset, data_len); if (skb->decrypted) skb_store_bits(skb, offset, buf, copy); @@ -611,16 +612,30 @@ static int tls_device_reencrypt(struct s buf += copy; } + pos = skb_pagelen(skb); skb_walk_frags(skb, skb_iter) { - copy = min_t(int, skb_iter->len, - rxm->full_len - offset + rxm->offset - - TLS_CIPHER_AES_GCM_128_TAG_SIZE); + int frag_pos; + + /* Practically all frags must belong to msg if reencrypt + * is needed with current strparser and coalescing logic, + * but strparser may "get optimized", so let's be safe. + */ + if (pos + skb_iter->len <= offset) + goto done_with_frag; + if (pos >= data_len + rxm->offset) + break; + + frag_pos = offset - pos; + copy = min_t(int, skb_iter->len - frag_pos, + data_len + rxm->offset - offset); if (skb_iter->decrypted) - skb_store_bits(skb_iter, offset, buf, copy); + skb_store_bits(skb_iter, frag_pos, buf, copy); offset += copy; buf += copy; +done_with_frag: + pos += skb_iter->len; } free_buf: