Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 84cba178 authored by Andrey Ryabinin's avatar Andrey Ryabinin Committed by Herbert Xu
Browse files

crypto: testmgr - don't copy from source IV too much 



While the destination buffer 'iv' is MAX_IVLEN size,
the source 'template[i].iv' could be smaller, thus
memcpy may read read invalid memory.
Use crypto_skcipher_ivsize() to get real ivsize
and pass it to memcpy.

Signed-off-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
parent 9da75de0

crypto/testmgr.c

+3 −2
Original line number Diff line number Diff line
@@ -940,6 +940,7 @@ static int __test_skcipher(struct crypto_skcipher *tfm, int enc, 
	char *xbuf[XBUFSIZE];

	char *xoutbuf[XBUFSIZE];

	int ret = -ENOMEM;

	unsigned int ivsize = crypto_skcipher_ivsize(tfm);



	if (testmgr_alloc_buf(xbuf))

		goto out_nobuf;
@@ -975,7 +976,7 @@ static int __test_skcipher(struct crypto_skcipher *tfm, int enc, 
			continue;



		if (template[i].iv)

			memcpy(iv, template[i].iv, MAX_IVLEN);

			memcpy(iv, template[i].iv, ivsize);

		else

			memset(iv, 0, MAX_IVLEN);
@@ -1051,7 +1052,7 @@ static int __test_skcipher(struct crypto_skcipher *tfm, int enc, 
			continue;



		if (template[i].iv)

			memcpy(iv, template[i].iv, MAX_IVLEN);

			memcpy(iv, template[i].iv, ivsize);

		else

			memset(iv, 0, MAX_IVLEN);