Commit 4d5a23a1 authored May 28, 2022 by Hangyu Hua Committed by Zheng Zengkai May 28, 2022

tipc: fix a bit overflow in tipc_crypto_key_rcv()

stable inclusion
from stable-v5.10.104
commit e3850e211df6817e7a6c3999080a8bc4a63092c0
bugzilla: https://gitee.com/openeuler/kernel/issues/I56XAC

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e3850e211df6817e7a6c3999080a8bc4a63092c0



--------------------------------

[ Upstream commit 143de8d9 ]

msg_data_sz return a 32bit value, but size is 16bit. This may lead to a
bit overflow.

Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yu Liao <liaoyu15@huawei.com>
Reviewed-by: Wei Li <liwei391@huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>

parent 5feaa1b4

net/tipc/crypto.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -2280,7 +2280,7 @@ static bool tipc_crypto_key_rcv(struct tipc_crypto rx, struct tipc_msg hdr)
		struct tipc_crypto *tx = tipc_net(rx->net)->crypto_tx;
		struct tipc_aead_key *skey = NULL;
		u16 key_gen = msg_key_gen(hdr);
		u16 size = msg_data_sz(hdr);
		u32 size = msg_data_sz(hdr);
		u8 *data = msg_data(hdr);
		unsigned int keylen;