From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.0 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS, T_DKIMWL_WL_HIGH,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 79656C43219 for ; Sat, 4 May 2019 10:28:44 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 4C37C206BB for ; Sat, 4 May 2019 10:28:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556965724; bh=BWFpvBSdMj8bWjVZXoTbFZTlv7FHBpF4S9q60QRo7h8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=N9Br8H3qHqtUsesZKesVn6qyHg2tbQIVw1s9Xo1YykgsbQ+SLoV8uLxgwABFqTu7N YIfAoK2/4wQI6otiLap/7gQmRgufCv08DDm7CjZdzoPXnxnV/6SWQJHcjB901xiJNJ rQs/moiwrdJ1LmDNUvr5UC32nc+xJAY+tIywlabk= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727138AbfEDK1b (ORCPT ); Sat, 4 May 2019 06:27:31 -0400 Received: from mail.kernel.org ([198.145.29.99]:37666 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728188AbfEDK13 (ORCPT ); Sat, 4 May 2019 06:27:29 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9885F206BB; Sat, 4 May 2019 10:27:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556965648; bh=BWFpvBSdMj8bWjVZXoTbFZTlv7FHBpF4S9q60QRo7h8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=eXgeNYmK1SidtSHLdoAYl0a0MKVxv7S7QOko7XQFmSGPl0DlJzPXWhrweNFRn7Gq1 2GCMUkoxGBd78ocJhG37WkqkgKsUnRcJInyEqdxh640x6FKMtbfskFJAze4XKImscr O4Y3VympAzc6FslKUxqXK9oz1SVzzTqic+TbyJzw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jakub Kicinski , John Hurley , "David S. Miller" Subject: [PATCH 4.19 19/23] net/tls: fix copy to fragments in reencrypt Date: Sat, 4 May 2019 12:25:21 +0200 Message-Id: <20190504102452.152806399@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190504102451.512405835@linuxfoundation.org> References: <20190504102451.512405835@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Jakub Kicinski [ Upstream commit eb3d38d5adb520435d4e4af32529ccb13ccc9935 ] Fragments may contain data from other records so we have to account for that when we calculate the destination and max length of copy we can perform. Note that 'offset' is the offset within the message, so it can't be passed as offset within the frag.. Here skb_store_bits() would have realised the call is wrong and simply not copy data. Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload") Signed-off-by: Jakub Kicinski Reviewed-by: John Hurley Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/tls/tls_device.c | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) --- a/net/tls/tls_device.c +++ b/net/tls/tls_device.c @@ -569,7 +569,7 @@ void handle_device_resync(struct sock *s static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb) { struct strp_msg *rxm = strp_msg(skb); - int err = 0, offset = rxm->offset, copy, nsg; + int err = 0, offset = rxm->offset, copy, nsg, data_len, pos; struct sk_buff *skb_iter, *unused; struct scatterlist sg[1]; char *orig_buf, *buf; @@ -600,9 +600,10 @@ static int tls_device_reencrypt(struct s else err = 0; + data_len = rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE; + if (skb_pagelen(skb) > offset) { - copy = min_t(int, skb_pagelen(skb) - offset, - rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE); + copy = min_t(int, skb_pagelen(skb) - offset, data_len); if (skb->decrypted) skb_store_bits(skb, offset, buf, copy); @@ -611,16 +612,30 @@ static int tls_device_reencrypt(struct s buf += copy; } + pos = skb_pagelen(skb); skb_walk_frags(skb, skb_iter) { - copy = min_t(int, skb_iter->len, - rxm->full_len - offset + rxm->offset - - TLS_CIPHER_AES_GCM_128_TAG_SIZE); + int frag_pos; + + /* Practically all frags must belong to msg if reencrypt + * is needed with current strparser and coalescing logic, + * but strparser may "get optimized", so let's be safe. + */ + if (pos + skb_iter->len <= offset) + goto done_with_frag; + if (pos >= data_len + rxm->offset) + break; + + frag_pos = offset - pos; + copy = min_t(int, skb_iter->len - frag_pos, + data_len + rxm->offset - offset); if (skb_iter->decrypted) - skb_store_bits(skb_iter, offset, buf, copy); + skb_store_bits(skb_iter, frag_pos, buf, copy); offset += copy; buf += copy; +done_with_frag: + pos += skb_iter->len; } free_buf: