projects / platform / kernel / linux-starfive.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ecd9f6e)
tls: rx: strp: fix determining record length in copy mode
authorJakub Kicinski <kuba@kernel.org>
Wed, 17 May 2023 01:50:39 +0000 (18:50 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 5 Jun 2023 07:26:17 +0000 (09:26 +0200)
[ Upstream commit 8b0c0dc9fbbd01e58a573a41c38885f9e4c17696 ]

We call tls_rx_msg_size(skb) before doing skb->len += chunk.
So the tls_rx_msg_size() code will see old skb->len, most
likely leading to an over-read.

Worst case we will over read an entire record, next iteration
will try to trim the skb but may end up turning frag len negative
or discarding the subsequent record (since we already told TCP
we've read it during previous read but now we'll trim it out of
the skb).

Fixes: 84c61fe1a75b ("tls: rx: do not use the standard strparser")
Tested-by: Shai Amiram <samiram@nvidia.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
net/tls/tls_strp.c patch | blob | history

diff --git a/net/tls/tls_strp.c b/net/tls/tls_strp.c
index 24016c865e004b7eb44437e1521f1a35a2444c57..9889df5ce0660d7bc3a30022edd4e54fb05913cc 100644 (file)
--- a/net/tls/tls_strp.c
+++ b/net/tls/tls_strp.c
@@ -210,19 +210,28 @@ static int tls_strp_copyin(read_descriptor_t *desc, struct sk_buff *in_skb,
                                           skb_frag_size(frag),
                                           chunk));
 
-               sz = tls_rx_msg_size(strp, strp->anchor);
+               skb->len += chunk;
+               skb->data_len += chunk;
+               skb_frag_size_add(frag, chunk);
+
+               sz = tls_rx_msg_size(strp, skb);
                if (sz < 0) {
                        desc->error = sz;
                        return 0;
                }
 
                /* We may have over-read, sz == 0 is guaranteed under-read */
-               if (sz > 0)
-                       chunk = min_t(size_t, chunk, sz - skb->len);
+               if (unlikely(sz && sz < skb->len)) {
+                       int over = skb->len - sz;
+
+                       WARN_ON_ONCE(over > chunk);
+                       skb->len -= over;
+                       skb->data_len -= over;
+                       skb_frag_size_add(frag, -over);
+
+                       chunk -= over;
+               }
 
-               skb->len += chunk;
-               skb->data_len += chunk;
-               skb_frag_size_add(frag, chunk);
                frag++;
                len -= chunk;
                offset += chunk;
Domain: System / Kernel;