diff options
| author | Jakub Kicinski <[email protected]> | 2019-05-09 16:14:07 -0700 |
|---|---|---|
| committer | David S. Miller <[email protected]> | 2019-05-09 16:37:39 -0700 |
| commit | b53f4976fb1f738573b5b76e21d3c2652fffb46b (patch) | |
| tree | 7b72ad4d3694231a1a1cba89873957367474eb22 /security/selinux/hooks.c | |
| parent | 88c80bee883e7687d2672f84fd6d0fa1cee3d348 (diff) | |
net/tls: handle errors from padding_length()
At the time padding_length() is called the record header
is still part of the message. If malicious TLS 1.3 peer
sends an all-zero record padding_length() will stop at
the record header, and return full length of the data
including the tail_size.
Subsequent subtraction of prot->overhead_size from rxm->full_len
will cause rxm->full_len to turn negative. skb accessors,
however, will always catch resulting out-of-bounds operation,
so in practice this fix comes down to returning the correct
error code. It also fixes a set but not used warning.
This code was added by commit 130b392c6cd6 ("net: tls: Add tls 1.3 support").
CC: Dave Watson <[email protected]>
Signed-off-by: Jakub Kicinski <[email protected]>
Reviewed-by: Dirk van der Merwe <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Diffstat (limited to 'security/selinux/hooks.c')
0 files changed, 0 insertions, 0 deletions