Re: [PATCH] bpf: crypto: reject unterminated type and algorithm names

Next message: David Lechner: "Re: [PATCH v1 1/2] dt-bindings: iio: adc: avia-hx711: add avia,hx710b compatible"
Previous message: Sanjay Chitroda: "Re: [PATCH] MAINTAINERS: Update maintainer for iio driver(s)"
In reply to: Pengpeng Hou: "[PATCH] bpf: crypto: reject unterminated type and algorithm names"
Next in thread: Pengpeng Hou: "[PATCH v2] bpf: crypto: snapshot params before string validation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Vadim Fedorenko

Date: Sat Apr 18 2026 - 17:34:16 EST

On 17.04.2026 08:31, Pengpeng Hou wrote:

bpf_crypto_ctx_create() validates the overall size of
struct bpf_crypto_params, but it does not verify that the fixed-width
type[14] and algo[128] fields are NUL-terminated before passing them to
string consumers.

A caller can therefore fill either field without a terminator and cause
bpf_crypto_get_type(), has_algo(), or alloc_tfm() to read past the end
of the fixed buffer.

How can this happen for static defined type/algo structures?