| Message ID | 20190409005950.7804-1-jakub.kicinski@netronome.com |
|---|---|
| State | Accepted |
| Delegated to: | David Miller |
| Headers | show |
| Series | [net] net/tls: prevent bad memory access in tls_is_sk_tx_device_offloaded() | expand |
From: Jakub Kicinski <jakub.kicinski@netronome.com> Date: Mon, 8 Apr 2019 17:59:50 -0700 > Unlike '&&' operator, the '&' does not have short-circuit > evaluation semantics. IOW both sides of the operator always > get evaluated. Fix the wrong operator in > tls_is_sk_tx_device_offloaded(), which would lead to > out-of-bounds access for for non-full sockets. > > Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload") > Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> > Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com> > Reviewed-by: Simon Horman <simon.horman@netronome.com> Good catch, applied and queued up for -stable.
diff --git a/include/net/tls.h b/include/net/tls.h index a5a938583295..cefc020ffeb4 100644 --- a/include/net/tls.h +++ b/include/net/tls.h @@ -379,7 +379,7 @@ tls_validate_xmit_skb(struct sock *sk, struct net_device *dev, static inline bool tls_is_sk_tx_device_offloaded(struct sock *sk) { #ifdef CONFIG_SOCK_VALIDATE_XMIT - return sk_fullsock(sk) & + return sk_fullsock(sk) && (smp_load_acquire(&sk->sk_validate_xmit_skb) == &tls_validate_xmit_skb); #else
Unlike '&&' operator, the '&' does not have short-circuit evaluation semantics. IOW both sides of the operator always get evaluated. Fix the wrong operator in tls_is_sk_tx_device_offloaded(), which would lead to out-of-bounds access for for non-full sockets. Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload") Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com> Reviewed-by: Simon Horman <simon.horman@netronome.com> --- include/net/tls.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)