When the total length is shorter than the calculated number of unaligned bytes, the call to shash->update breaks. For example, calling crc32c on unaligned buffer with length of 1 can result in a system crash.
Signed-off-by: Yehuda Sadeh <[email protected]>
---
crypto/shash.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/crypto/shash.c b/crypto/shash.c
index d5a2b61..6792a67 100644
--- a/crypto/shash.c
+++ b/crypto/shash.c
@@ -82,6 +82,9 @@ static int shash_update_unaligned(struct shash_desc *desc, const u8 *data,
u8 buf[shash_align_buffer_size(unaligned_len, alignmask)]
__attribute__ ((aligned));
+ if (unaligned_len > len)
+ unaligned_len = len;
+
memcpy(buf, data, unaligned_len);
return shash->update(desc, buf, unaligned_len) ?:
--
1.5.6.5
On Thu, Mar 26, 2009 at 02:12:21PM -0700, Yehuda Sadeh wrote:
> When the total length is shorter than the calculated number of unaligned bytes, the call to shash->update breaks. For example, calling crc32c on unaligned buffer with length of 1 can result in a system crash.
>
> Signed-off-by: Yehuda Sadeh <[email protected]>
Ouch! Thanks for fixing this! Applied to crpyto-2.6.
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt