diff options
| author | Herbert Xu <herbert@gondor.apana.org.au> | 2016-11-17 09:07:58 -0500 |
|---|---|---|
| committer | Herbert Xu <herbert@gondor.apana.org.au> | 2016-11-18 09:34:10 -0500 |
| commit | a8348bca2944d397a528772f5c0ccb47a8b58af4 (patch) | |
| tree | a3afca8b46f4b4fa4c28755681821a178bfa7e18 /crypto | |
| parent | a5a40d4624cd2328c69768f6eb41716fc249d7be (diff) | |
crypto: algif_hash - Fix NULL hash crash with shash
Recently algif_hash has been changed to allow null hashes. This
triggers a bug when used with an shash algorithm whereby it will
cause a crash during the digest operation.
This patch fixes it by avoiding the digest operation and instead
doing an init followed by a final which avoids the buggy code in
shash.
This patch also ensures that the result buffer is freed after an
error so that it is not returned as a genuine hash result on the
next recv call.
The shash/ahash wrapper code will be fixed later to handle this
case correctly.
Fixes: 493b2ed3f760 ("crypto: algif_hash - Handle NULL hashes correctly")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Laura Abbott <labbott@redhat.com>
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/algif_hash.c | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c index 2d8466f9e49b..05e21b464433 100644 --- a/crypto/algif_hash.c +++ b/crypto/algif_hash.c | |||
| @@ -214,23 +214,26 @@ static int hash_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, | |||
| 214 | 214 | ||
| 215 | ahash_request_set_crypt(&ctx->req, NULL, ctx->result, 0); | 215 | ahash_request_set_crypt(&ctx->req, NULL, ctx->result, 0); |
| 216 | 216 | ||
| 217 | if (ctx->more) { | 217 | if (!result) { |
| 218 | err = af_alg_wait_for_completion( | ||
| 219 | crypto_ahash_init(&ctx->req), | ||
| 220 | &ctx->completion); | ||
| 221 | if (err) | ||
| 222 | goto unlock; | ||
| 223 | } | ||
| 224 | |||
| 225 | if (!result || ctx->more) { | ||
| 218 | ctx->more = 0; | 226 | ctx->more = 0; |
| 219 | err = af_alg_wait_for_completion(crypto_ahash_final(&ctx->req), | 227 | err = af_alg_wait_for_completion(crypto_ahash_final(&ctx->req), |
| 220 | &ctx->completion); | 228 | &ctx->completion); |
| 221 | if (err) | 229 | if (err) |
| 222 | goto unlock; | 230 | goto unlock; |
| 223 | } else if (!result) { | ||
| 224 | err = af_alg_wait_for_completion( | ||
| 225 | crypto_ahash_digest(&ctx->req), | ||
| 226 | &ctx->completion); | ||
| 227 | } | 231 | } |
| 228 | 232 | ||
| 229 | err = memcpy_to_msg(msg, ctx->result, len); | 233 | err = memcpy_to_msg(msg, ctx->result, len); |
| 230 | 234 | ||
| 231 | hash_free_result(sk, ctx); | ||
| 232 | |||
| 233 | unlock: | 235 | unlock: |
| 236 | hash_free_result(sk, ctx); | ||
| 234 | release_sock(sk); | 237 | release_sock(sk); |
| 235 | 238 | ||
| 236 | return err ?: len; | 239 | return err ?: len; |