sunrpc: Fix skcipher/shash conversion

The skcpiher/shash conversion introduced a number of bugs in the sunrpc code: 1) Missing calls to skcipher_request_set_tfm lead to crashes. 2) The allocation size of shash_desc is too small which leads to memory corruption. Fixes: 3b5cf20cf439 ("sunrpc: Use skcipher and ahash/shash") Reported-by: J. Bruce Fields <bfields@fieldses.org> Tested-by: J. Bruce Fields <bfields@fieldses.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
author: Herbert Xu <herbert@gondor.apana.org.au> 2016-04-03 00:37:15 -0400
committer: Herbert Xu <herbert@gondor.apana.org.au> 2016-04-04 09:45:51 -0400
commit: ef609c238a8ea163cb0af759cc73c9e2555c89da (patch)
tree: 99fc4f1518315e72c089626567a07dfd964c78ef /net
parent: 9735a22799b9214d17d3c231fe377fc852f042e9 (diff)
2 files changed, 8 insertions, 3 deletions
diff --git a/net/sunrpc/auth_gss/gss_krb5_crypto.c b/net/sunrpc/auth_gss/gss_krb5_crypto.c
index d94a8e1e9f05..da26455cf86c 100644
--- a/net/sunrpc/auth_gss/gss_krb5_crypto.c
+++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c
@@ -78,6 +78,7 @@ krb5_encrypt(
        memcpy(out, in, length);
        sg_init_one(sg, out, length);
+        skcipher_request_set_tfm(req, tfm);
        skcipher_request_set_callback(req, 0, NULL, NULL);
        skcipher_request_set_crypt(req, sg, sg, length, local_iv);
@@ -115,6 +116,7 @@ krb5_decrypt(
        memcpy(out, in, length);
        sg_init_one(sg, out, length);
+        skcipher_request_set_tfm(req, tfm);
        skcipher_request_set_callback(req, 0, NULL, NULL);
        skcipher_request_set_crypt(req, sg, sg, length, local_iv);
@@ -946,7 +948,8 @@ krb5_rc4_setup_seq_key(struct krb5_ctx *kctx, struct crypto_skcipher *cipher,
                return PTR_ERR(hmac);
        }
-        desc = kmalloc(sizeof(*desc), GFP_KERNEL);
+        desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(hmac),
+                       GFP_KERNEL);
        if (!desc) {
                dprintk("%s: failed to allocate shash descriptor for '%s'\n",
                        __func__, kctx->gk5e->cksum_name);
@@ -1012,7 +1015,8 @@ krb5_rc4_setup_enc_key(struct krb5_ctx *kctx, struct crypto_skcipher *cipher,
                return PTR_ERR(hmac);
        }
-        desc = kmalloc(sizeof(*desc), GFP_KERNEL);
+        desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(hmac),
+                       GFP_KERNEL);
        if (!desc) {
                dprintk("%s: failed to allocate shash descriptor for '%s'\n",
                        __func__, kctx->gk5e->cksum_name);
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index 71341ccb9890..65427492b1c9 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -451,7 +451,8 @@ context_derive_keys_rc4(struct krb5_ctx *ctx)
                goto out_err_free_hmac;
-        desc = kmalloc(sizeof(*desc), GFP_KERNEL);
+        desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(hmac),
+                       GFP_KERNEL);
        if (!desc) {
                dprintk("%s: failed to allocate hash descriptor for '%s'\n",
                        __func__, ctx->gk5e->cksum_name);
author	Herbert Xu <herbert@gondor.apana.org.au>	2016-04-03 00:37:15 -0400
committer	Herbert Xu <herbert@gondor.apana.org.au>	2016-04-04 09:45:51 -0400
commit	ef609c238a8ea163cb0af759cc73c9e2555c89da (patch)
tree	99fc4f1518315e72c089626567a07dfd964c78ef /net
parent	9735a22799b9214d17d3c231fe377fc852f042e9 (diff)