[PATCH] crypto: nx: Fix memcpy() over-reading in nonce

From: Kees Cook
Date: Wed Jun 16 2021 - 16:35:09 EST

Next message: Brendan Higgins: "Re: [PATCH v2 2/3] kunit: Move default config from arch/um -> tools/testing/kunit"
Previous message: Christophe JAILLET: "[PATCH] dmaengine: hisi_dma: Remove some useless code"
Next in thread: Michael Ellerman: "Re: [PATCH] crypto: nx: Fix memcpy() over-reading in nonce"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Fix typo in memcpy() where size should be CTR_RFC3686_NONCE_SIZE.

Fixes: 030f4e968741 ("crypto: nx - Fix reentrancy bugs")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
---
drivers/crypto/nx/nx-aes-ctr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/crypto/nx/nx-aes-ctr.c b/drivers/crypto/nx/nx-aes-ctr.c
index 13f518802343..6120e350ff71 100644
--- a/drivers/crypto/nx/nx-aes-ctr.c
+++ b/drivers/crypto/nx/nx-aes-ctr.c
@@ -118,7 +118,7 @@ static int ctr3686_aes_nx_crypt(struct skcipher_request *req)
struct nx_crypto_ctx *nx_ctx = crypto_skcipher_ctx(tfm);
u8 iv[16];

- memcpy(iv, nx_ctx->priv.ctr.nonce, CTR_RFC3686_IV_SIZE);
+ memcpy(iv, nx_ctx->priv.ctr.nonce, CTR_RFC3686_NONCE_SIZE);
memcpy(iv + CTR_RFC3686_NONCE_SIZE, req->iv, CTR_RFC3686_IV_SIZE);
iv[12] = iv[13] = iv[14] = 0;
iv[15] = 1;
--
2.25.1

Next message: Brendan Higgins: "Re: [PATCH v2 2/3] kunit: Move default config from arch/um -> tools/testing/kunit"
Previous message: Christophe JAILLET: "[PATCH] dmaengine: hisi_dma: Remove some useless code"
Next in thread: Michael Ellerman: "Re: [PATCH] crypto: nx: Fix memcpy() over-reading in nonce"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]