From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Jakub Kicinski <jakub.kicinski@netronome.com>,
John Hurley <john.hurley@netronome.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.0 27/32] net/tls: fix copy to fragments in reencrypt
Date: Sat, 4 May 2019 12:25:12 +0200 [thread overview]
Message-ID: <20190504102453.318811912@linuxfoundation.org> (raw)
In-Reply-To: <20190504102452.523724210@linuxfoundation.org>
From: Jakub Kicinski <jakub.kicinski@netronome.com>
[ Upstream commit eb3d38d5adb520435d4e4af32529ccb13ccc9935 ]
Fragments may contain data from other records so we have to account
for that when we calculate the destination and max length of copy we
can perform. Note that 'offset' is the offset within the message,
so it can't be passed as offset within the frag..
Here skb_store_bits() would have realised the call is wrong and
simply not copy data.
Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: John Hurley <john.hurley@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/tls/tls_device.c | 29 ++++++++++++++++++++++-------
1 file changed, 22 insertions(+), 7 deletions(-)
--- a/net/tls/tls_device.c
+++ b/net/tls/tls_device.c
@@ -579,7 +579,7 @@ void handle_device_resync(struct sock *s
static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb)
{
struct strp_msg *rxm = strp_msg(skb);
- int err = 0, offset = rxm->offset, copy, nsg;
+ int err = 0, offset = rxm->offset, copy, nsg, data_len, pos;
struct sk_buff *skb_iter, *unused;
struct scatterlist sg[1];
char *orig_buf, *buf;
@@ -610,9 +610,10 @@ static int tls_device_reencrypt(struct s
else
err = 0;
+ data_len = rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE;
+
if (skb_pagelen(skb) > offset) {
- copy = min_t(int, skb_pagelen(skb) - offset,
- rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE);
+ copy = min_t(int, skb_pagelen(skb) - offset, data_len);
if (skb->decrypted)
skb_store_bits(skb, offset, buf, copy);
@@ -621,16 +622,30 @@ static int tls_device_reencrypt(struct s
buf += copy;
}
+ pos = skb_pagelen(skb);
skb_walk_frags(skb, skb_iter) {
- copy = min_t(int, skb_iter->len,
- rxm->full_len - offset + rxm->offset -
- TLS_CIPHER_AES_GCM_128_TAG_SIZE);
+ int frag_pos;
+
+ /* Practically all frags must belong to msg if reencrypt
+ * is needed with current strparser and coalescing logic,
+ * but strparser may "get optimized", so let's be safe.
+ */
+ if (pos + skb_iter->len <= offset)
+ goto done_with_frag;
+ if (pos >= data_len + rxm->offset)
+ break;
+
+ frag_pos = offset - pos;
+ copy = min_t(int, skb_iter->len - frag_pos,
+ data_len + rxm->offset - offset);
if (skb_iter->decrypted)
- skb_store_bits(skb_iter, offset, buf, copy);
+ skb_store_bits(skb_iter, frag_pos, buf, copy);
offset += copy;
buf += copy;
+done_with_frag:
+ pos += skb_iter->len;
}
free_buf:
next prev parent reply other threads:[~2019-05-04 10:29 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-04 10:24 [PATCH 5.0 00/32] 5.0.13-stable review Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 01/32] ipv4: ip_do_fragment: Preserve skb_iif during fragmentation Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 02/32] ipv6: A few fixes on dereferencing rt->from Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 03/32] ipv6: fix races in ip6_dst_destroy() Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 04/32] ipv6/flowlabel: wait rcu grace period before put_pid() Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 05/32] ipv6: invert flowlabel sharing check in process and user mode Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 06/32] l2ip: fix possible use-after-free Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 07/32] l2tp: use rcu_dereference_sk_user_data() in l2tp_udp_encap_recv() Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 08/32] net: dsa: bcm_sf2: fix buffer overflow doing set_rxnfc Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 09/32] net: phy: marvell: Fix buffer overrun with stats counters Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 10/32] net/tls: avoid NULL pointer deref on nskb->sk in fallback Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 11/32] rxrpc: Fix net namespace cleanup Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 12/32] sctp: avoid running the sctp state machine recursively Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 13/32] selftests: fib_rule_tests: print the result and return 1 if any tests failed Greg Kroah-Hartman
2019-05-04 10:24 ` [PATCH 5.0 14/32] packet: validate msg_namelen in send directly Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 15/32] packet: in recvmsg msg_name return at least sizeof sockaddr_ll Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 16/32] selftests: fib_rule_tests: Fix icmp proto with ipv6 Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 17/32] tcp: add sanity tests in tcp_add_backlog() Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 18/32] udp: fix GRO reception in case of length mismatch Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 19/32] udp: fix GRO packet of death Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 20/32] bnxt_en: Improve multicast address setup logic Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 21/32] bnxt_en: Free short FW command HWRM memory in error path in bnxt_init_one() Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 22/32] bnxt_en: Fix possible crash in bnxt_hwrm_ring_free() under error conditions Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 23/32] bnxt_en: Pass correct extended TX port statistics size to firmware Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 24/32] bnxt_en: Fix statistics context reservation logic Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 25/32] bnxt_en: Fix uninitialized variable usage in bnxt_rx_pkt() Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 26/32] net/tls: dont copy negative amounts of data in reencrypt Greg Kroah-Hartman
2019-05-04 10:25 ` Greg Kroah-Hartman [this message]
2019-05-04 10:25 ` [PATCH 5.0 28/32] KVM: x86: Whitelist port 0x7e for pre-incrementing %rip Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 29/32] KVM: nVMX: Fix size checks in vmx_set_nested_state Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 30/32] ALSA: line6: use dynamic buffers Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 31/32] iwlwifi: mvm: properly check debugfs dentry before using it Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 5.0 32/32] ath10k: Drop WARN_ON()s that always trigger during system resume Greg Kroah-Hartman
2019-05-04 18:26 ` [PATCH 5.0 00/32] 5.0.13-stable review kernelci.org bot
2019-05-04 23:53 ` Guenter Roeck
2019-05-05 7:11 ` Greg Kroah-Hartman
2019-05-05 3:05 ` Dan Rue
2019-05-05 3:31 ` Guenter Roeck
2019-05-05 12:17 ` Dan Rue
2019-05-05 12:41 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190504102453.318811912@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=jakub.kicinski@netronome.com \
--cc=john.hurley@netronome.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).