!12681 smb: client: fix UAF in async decryption

 */

static int

crypt_message(struct TCP_Server_Info *server, int num_rqst,

	      struct smb_rqst *rqst, int enc)

	      struct smb_rqst *rqst, int enc, struct crypto_aead *tfm)

{

	struct smb2_transform_hdr *tr_hdr =

		(struct smb2_transform_hdr *)rqst[0].rq_iov[0].iov_base;

	struct aead_request *req;

	char *iv;

	unsigned int iv_len;

	DECLARE_CRYPTO_WAIT(wait);

	struct crypto_aead *tfm;

	unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize);

	rc = smb2_get_enc_key(server, tr_hdr->SessionId, enc, key);

		return rc;

	}

	rc = smb3_crypto_aead_allocate(server);

	if (rc) {

		cifs_server_dbg(VFS, "%s: crypto alloc failed\n", __func__);

		return rc;

	}

	tfm = enc ? server->secmech.ccmaesencrypt :

						server->secmech.ccmaesdecrypt;

	if ((server->cipher_type == SMB2_ENCRYPTION_AES256_CCM) ||

		(server->cipher_type == SMB2_ENCRYPTION_AES256_GCM))

		rc = crypto_aead_setkey(tfm, key, SMB3_GCM256_CRYPTKEY_SIZE);

	aead_request_set_crypt(req, sg, sg, crypt_len, iv);

	aead_request_set_ad(req, assoc_data_len);

	aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,

				  crypto_req_done, &wait);

	rc = crypto_wait_req(enc ? crypto_aead_encrypt(req)

				: crypto_aead_decrypt(req), &wait);

	rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req);

	if (!rc && enc)

		memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE);

	/* fill the 1st iov with a transform header */

	fill_transform_hdr(tr_hdr, orig_len, old_rq, server->cipher_type);

	rc = crypt_message(server, num_rqst, new_rq, 1);

	rc = crypt_message(server, num_rqst, new_rq, 1,

			server->secmech.ccmaesencrypt);

	cifs_dbg(FYI, "Encrypt message returned %d\n", rc);

	if (rc)

		goto err_free;

		 unsigned int npages, unsigned int page_data_size,

		 bool is_offloaded)

{

	struct kvec iov[2];

	struct crypto_aead *tfm;

	struct smb_rqst rqst = {NULL};

	struct kvec iov[2];

	int rc;

	iov[0].iov_base = buf;

	rqst.rq_pagesz = PAGE_SIZE;

	rqst.rq_tailsz = (page_data_size % PAGE_SIZE) ? : PAGE_SIZE;

	rc = crypt_message(server, 1, &rqst, 0);

	if (is_offloaded) {

		if ((server->cipher_type == SMB2_ENCRYPTION_AES128_GCM) ||

				(server->cipher_type == SMB2_ENCRYPTION_AES256_GCM))

			tfm = crypto_alloc_aead("gcm(aes)", 0, 0);

		else

			tfm = crypto_alloc_aead("ccm(aes)", 0, 0);

		if (IS_ERR(tfm)) {

			rc = PTR_ERR(tfm);

			cifs_server_dbg(VFS, "%s: Failed alloc decrypt TFM, rc=%d\n", __func__, rc);

			return rc;

		}

	} else {

		if (unlikely(!server->secmech.ccmaesdecrypt))

			return -EIO;

		tfm = server->secmech.ccmaesdecrypt;

	}

	rc = crypt_message(server, 1, &rqst, 0, tfm);

	cifs_dbg(FYI, "Decrypt message returned %d\n", rc);

	if (is_offloaded)

		crypto_free_aead(tfm);

	if (rc)

		return rc;

		else

			cifs_server_dbg(VFS, "Missing expected negotiate contexts\n");

	}

	if (server->cipher_type && !rc) {

		rc = smb3_crypto_aead_allocate(server);

		if (rc)

			cifs_server_dbg(VFS, "%s: crypto alloc failed, rc=%d\n", __func__, rc);

	}

neg_exit:

	free_rsp_buf(resp_buftype, rsp);

	return rc;