summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJerome Marchand <jmarchan@redhat.com>2016-02-03 13:58:12 +0100
committerHerbert Xu <herbert@gondor.apana.org.au>2016-02-06 15:33:29 +0800
commitabfa7f4357e3640fdee87dfc276fd0f379fb5ae6 (patch)
tree078981ec818395044e492b3a1b13d5ccdbd8a869
parentd42cf2f1901e4fafb133d5fb680fc7138b9ba393 (diff)
crypto: testmgr - fix out of bound read in __test_aead()
__test_aead() reads MAX_IVLEN bytes from template[i].iv, but the actual length of the initialisation vector can be shorter. The length of the IV is already calculated earlier in the function. Let's just reuses that. Also the IV length is currently calculated several time for no reason. Let's fix that too. This fix an out-of-bound error detected by KASan. Signed-off-by: Jerome Marchand <jmarchan@redhat.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-rw-r--r--crypto/testmgr.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index cde6a2983937..54681838da6c 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -613,6 +613,8 @@ static int __test_aead(struct crypto_aead *tfm, int enc,
aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
tcrypt_complete, &result);
+ iv_len = crypto_aead_ivsize(tfm);
+
for (i = 0, j = 0; i < tcount; i++) {
if (template[i].np)
continue;
@@ -633,7 +635,6 @@ static int __test_aead(struct crypto_aead *tfm, int enc,
memcpy(input, template[i].input, template[i].ilen);
memcpy(assoc, template[i].assoc, template[i].alen);
- iv_len = crypto_aead_ivsize(tfm);
if (template[i].iv)
memcpy(iv, template[i].iv, iv_len);
else
@@ -742,7 +743,7 @@ static int __test_aead(struct crypto_aead *tfm, int enc,
j++;
if (template[i].iv)
- memcpy(iv, template[i].iv, MAX_IVLEN);
+ memcpy(iv, template[i].iv, iv_len);
else
memset(iv, 0, MAX_IVLEN);