DPDK patches and discussions
 help / color / mirror / Atom feed
From: Andrew Boyer <andrew.boyer@amd.com>
To: <dev@dpdk.org>
Cc: Andrew Boyer <andrew.boyer@amd.com>
Subject: [PATCH 1/2] crypto/ionic: fix buffer overrun when writing session
Date: Mon, 1 Jul 2024 08:22:49 -0700	[thread overview]
Message-ID: <20240701152250.46978-1-andrew.boyer@amd.com> (raw)

Coverity pointed out that, if the final segment of the session key being
written is not a full segment, the loop could potentially read past the
end of the source buffer. Use RTE_MIN() to make sure to only copy as much
of the key as is left.

Coverity issue: 426432
Fixes: 6bc7f2cf6687 ("crypto/ionic: support sessions")

Signed-off-by: Andrew Boyer <andrew.boyer@amd.com>
---
 drivers/crypto/ionic/ionic_crypto_main.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/crypto/ionic/ionic_crypto_main.c b/drivers/crypto/ionic/ionic_crypto_main.c
index d4810e3617..9960dc3a6d 100644
--- a/drivers/crypto/ionic/ionic_crypto_main.c
+++ b/drivers/crypto/ionic/ionic_crypto_main.c
@@ -193,7 +193,7 @@ iocpt_session_write(struct iocpt_session_priv *priv,
 	};
 	struct iocpt_sess_control_cmd *cmd = &ctx.cmd.sess_control;
 	uint16_t key_offset;
-	uint8_t key_segs, seg;
+	uint8_t key_segs, seg, seg_len;
 	int err;
 
 	key_segs = ((priv->key_len - 1) >> IOCPT_SESS_KEY_SEG_SHFT) + 1;
@@ -202,8 +202,9 @@ iocpt_session_write(struct iocpt_session_priv *priv,
 		ctx.pending_work = true;
 
 		key_offset = seg * cmd->key_seg_len;
-		memcpy(cmd->key, &priv->key[key_offset],
-			IOCPT_SESS_KEY_SEG_LEN);
+		seg_len = (uint8_t)RTE_MIN(priv->key_len - key_offset,
+					IOCPT_SESS_KEY_SEG_LEN);
+		memcpy(cmd->key, &priv->key[key_offset], seg_len);
 		cmd->key_seg_idx = seg;
 
 		/* Mark final segment */
-- 
2.17.1


             reply	other threads:[~2024-07-01 15:23 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-07-01 15:22 Andrew Boyer [this message]
2024-07-01 15:22 ` [PATCH 2/2] crypto/ionic: fix sign extension in queue allocation Andrew Boyer
2024-07-03 17:30 ` [EXTERNAL] [PATCH 1/2] crypto/ionic: fix buffer overrun when writing session Akhil Goyal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240701152250.46978-1-andrew.boyer@amd.com \
    --to=andrew.boyer@amd.com \
    --cc=dev@dpdk.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).