From: Neil Horman <nhorman@redhat.com> Date: Thu, 18 Sep 2008 09:56:27 -0400 Subject: [crypto] fix ipsec crash with MAC longer than 16 bytes Message-id: 20080918135627.GB20500@hmsendeavour.rdu.redhat.com O-Subject: Re: [RHEL 5.3 PATCH]: fix ipsec crash with MAC longer than 16 bytes. Bugzilla: 459812 RH-Acked-by: David Miller <davem@redhat.com> RH-Acked-by: Herbert Xu <herbert.xu@redhat.com> Hey- Backport of upstream commit 697690bece75d4ba424c1318eb25c37d41d5829, written by Herbert Xu. This patch prevents the use of a clobbered request pointer in the authenc code, which results in an oops. This can occur in the ipsec code when endpoints are communicating that have MAC addresses longer than 16 bytes (since thats the size of the buffer preceding the pointer). Resolves bz 459812. Please ACK. Neil diff --git a/crypto/authenc.c b/crypto/authenc.c index 612d65a..8ab7000 100644 --- a/crypto/authenc.c +++ b/crypto/authenc.c @@ -174,8 +174,9 @@ static int crypto_authenc_genicv(struct aead_request *req, u8 *iv, static void crypto_authenc_encrypt_done(struct crypto_async_request *req, int err) { + struct aead_request *areq = req->data; + if (!err) { - struct aead_request *areq = req->data; struct crypto_aead *authenc = crypto_aead_reqtfm(areq); struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc); struct ablkcipher_request *abreq = aead_request_ctx(areq); @@ -185,7 +186,7 @@ static void crypto_authenc_encrypt_done(struct crypto_async_request *req, err = crypto_authenc_genicv(areq, iv, 0); } - aead_request_complete(req->data, err); + aead_request_complete(areq, err); } static int crypto_authenc_encrypt(struct aead_request *req) @@ -216,13 +217,15 @@ static int crypto_authenc_encrypt(struct aead_request *req) static void crypto_authenc_givencrypt_done(struct crypto_async_request *req, int err) { + struct aead_request *areq = req->data; + if (!err) { - struct aead_givcrypt_request *greq = req->data; + struct skcipher_givcrypt_request *greq = aead_request_ctx(areq); - err = crypto_authenc_genicv(&greq->areq, greq->giv, 0); + err = crypto_authenc_genicv(areq, greq->giv, 0); } - aead_request_complete(req->data, err); + aead_request_complete(areq, err); } static int crypto_authenc_givencrypt(struct aead_givcrypt_request *req)