In function sg_copy_end_to_buffer, too much data
is copied when a segment in the scatterlist
has .length greater than the requested copy length.
This patch adds the limit checks to fix this bug of over copying,
which affected only the ahash algorithms.
Signed-off-by: Lee Nipper <[email protected]>
Acked-by: Kim Phillips <[email protected]>
---
This is version 2 of this patch,
with changes per Kim's review: unnecessary parenthesis removed.
drivers/crypto/talitos.c | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
index 0f2483e..e058987 100644
--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -1183,10 +1183,14 @@ static size_t sg_copy_end_to_buffer(struct scatterlist *sgl, unsigned int nents,
/* Copy part of this segment */
ignore = skip - offset;
len = miter.length - ignore;
+ if (boffset + len > buflen)
+ len = buflen - boffset;
memcpy(buf + boffset, miter.addr + ignore, len);
} else {
- /* Copy all of this segment */
+ /* Copy all of this segment (up to buflen) */
len = miter.length;
+ if (boffset + len > buflen)
+ len = buflen - boffset;
memcpy(buf + boffset, miter.addr, len);
}
boffset += len;
--
1.6.0.4
On Wed, Jul 14, 2010 at 12:11:27AM +0000, Lee Nipper wrote:
> In function sg_copy_end_to_buffer, too much data
> is copied when a segment in the scatterlist
> has .length greater than the requested copy length.
>
> This patch adds the limit checks to fix this bug of over copying,
> which affected only the ahash algorithms.
>
> Signed-off-by: Lee Nipper <[email protected]>
> Acked-by: Kim Phillips <[email protected]>
Applied to crypto-2.6. Thanks Lee!
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt