Commit 52ee6ef3 authored Jul 02, 2018 by Doron Roberts-Kedes Committed by David S. Miller Jul 03, 2018

tls: fix skb_to_sgvec returning unhandled error.



The current code does not inspect the return value of skb_to_sgvec. This
can cause a nullptr kernel panic when the malformed sgvec is passed into
the crypto request.

Checking the return value of skb_to_sgvec and skipping decryption if it
is negative fixes this problem.

Fixes: c46234eb ("tls: RX path for ktls")
Acked-by: Dave Watson <davejwatson@fb.com>
Signed-off-by: Doron Roberts-Kedes <doronrk@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent c643ecf3

net/tls/tls_sw.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -701,6 +701,10 @@ static int decrypt_skb(struct sock sk, struct sk_buff skb,
		nsg = skb_to_sgvec(skb, &sgin[1],
		rxm->offset + tls_ctx->rx.prepend_size,
		rxm->full_len - tls_ctx->rx.prepend_size);
		if (nsg < 0) {
		ret = nsg;
		goto out;
		}

		tls_make_aad(ctx->rx_aad_ciphertext,
		rxm->full_len - tls_ctx->rx.overhead_size,
		@@ -712,6 +716,7 @@ static int decrypt_skb(struct sock sk, struct sk_buff skb,
		rxm->full_len - tls_ctx->rx.overhead_size,
		skb, sk->sk_allocation);

		out:
		if (sgin != &sgin_arr[0])
		kfree(sgin);