crypto: testmgr - don't copy from source IV too much

While the destination buffer 'iv' is MAX_IVLEN size,
the source 'template[i].iv' could be smaller, thus
memcpy may read read invalid memory.
Use crypto_skcipher_ivsize() to get real ivsize
and pass it to memcpy.

Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

1 files changed, 3 insertions, 2 deletions

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 35c2de136971..fa18753f5c34 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -940,6 +940,7 @@ static int __test_skcipher(struct crypto_skcipher *tfm, int enc,
         char *xbuf[XBUFSIZE];
         char *xoutbuf[XBUFSIZE];
         int ret = -ENOMEM;
+        unsigned int ivsize = crypto_skcipher_ivsize(tfm);
 
         if (testmgr_alloc_buf(xbuf))
                 goto out_nobuf;
@@ -975,7 +976,7 @@ static int __test_skcipher(struct crypto_skcipher *tfm, int enc,
                         continue;
 
                 if (template[i].iv)
-                        memcpy(iv, template[i].iv, MAX_IVLEN);
+                        memcpy(iv, template[i].iv, ivsize);
                 else
                         memset(iv, 0, MAX_IVLEN);
 
@@ -1051,7 +1052,7 @@ static int __test_skcipher(struct crypto_skcipher *tfm, int enc,
                         continue;
 
                 if (template[i].iv)
-                        memcpy(iv, template[i].iv, MAX_IVLEN);
+                        memcpy(iv, template[i].iv, ivsize);
                 else
                         memset(iv, 0, MAX_IVLEN);