linux-hardened/net/tls
Jakub Kicinski b53f4976fb net/tls: handle errors from padding_length()
At the time padding_length() is called the record header
is still part of the message.  If malicious TLS 1.3 peer
sends an all-zero record padding_length() will stop at
the record header, and return full length of the data
including the tail_size.

Subsequent subtraction of prot->overhead_size from rxm->full_len
will cause rxm->full_len to turn negative.  skb accessors,
however, will always catch resulting out-of-bounds operation,
so in practice this fix comes down to returning the correct
error code.  It also fixes a set but not used warning.

This code was added by commit 130b392c6c ("net: tls: Add tls 1.3 support").

CC: Dave Watson <davejwatson@fb.com>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-05-09 16:37:39 -07:00
..
Kconfig tls: convert to generic sk_msg interface 2018-10-15 12:23:19 -07:00
Makefile net/tls: Add generic NIC offload infrastructure 2018-05-01 09:42:47 -04:00
tls_device.c net/tls: remove set but not used variables 2019-05-09 16:37:39 -07:00
tls_device_fallback.c net/tls: avoid NULL pointer deref on nskb->sk in fallback 2019-05-01 11:37:56 -04:00
tls_main.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-04-25 23:52:29 -04:00
tls_sw.c net/tls: handle errors from padding_length() 2019-05-09 16:37:39 -07:00