2005-09-08 01:31:16

by Chris Wright

[permalink] [raw]
Subject: [PATCH 6/9] [CRYPTO] Fix boundary check in standard multi-block cipher processors

-stable review patch. If anyone has any objections, please let us know.
------------------

[CRYPTO] Fix boundary check in standard multi-block cipher processors

Fixes Bug 5194 (IPSec related Oops in 2.6.13).

The boundary check in the standard multi-block cipher processors are
broken when nbytes is not a multiple of bsize. In those cases it will
always process an extra block.

This patch corrects the check so that it processes at most nbytes of data.

Signed-off-by: Herbert Xu <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
crypto/cipher.c | 12 +++++++++---
1 files changed, 9 insertions(+), 3 deletions(-)

Index: linux-2.6.13.y/crypto/cipher.c
===================================================================
--- linux-2.6.13.y.orig/crypto/cipher.c
+++ linux-2.6.13.y/crypto/cipher.c
@@ -191,6 +191,8 @@ static unsigned int cbc_process_encrypt(
u8 *iv = desc->info;
unsigned int done = 0;

+ nbytes -= bsize;
+
do {
xor(iv, src);
fn(crypto_tfm_ctx(tfm), dst, iv);
@@ -198,7 +200,7 @@ static unsigned int cbc_process_encrypt(

src += bsize;
dst += bsize;
- } while ((done += bsize) < nbytes);
+ } while ((done += bsize) <= nbytes);

return done;
}
@@ -219,6 +221,8 @@ static unsigned int cbc_process_decrypt(
u8 *iv = desc->info;
unsigned int done = 0;

+ nbytes -= bsize;
+
do {
u8 *tmp_dst = *dst_p;

@@ -230,7 +234,7 @@ static unsigned int cbc_process_decrypt(

src += bsize;
dst += bsize;
- } while ((done += bsize) < nbytes);
+ } while ((done += bsize) <= nbytes);

return done;
}
@@ -243,12 +247,14 @@ static unsigned int ecb_process(const st
void (*fn)(void *, u8 *, const u8 *) = desc->crfn;
unsigned int done = 0;

+ nbytes -= bsize;
+
do {
fn(crypto_tfm_ctx(tfm), dst, src);

src += bsize;
dst += bsize;
- } while ((done += bsize) < nbytes);
+ } while ((done += bsize) <= nbytes);

return done;
}

--