crypto: talitos - fix bug in sg_copy_end_to_buffer In function sg_copy_end_to_buffer, too much data is copied when a segment in the scatterlist has .length greater than the requested copy length. This patch adds the limit checks to fix this bug of over copying, which affected only the ahash algorithms. Signed-off-by: Lee Nipper <lee.nipper@gmail.com> Acked-by: Kim Phillips <kim.phillips@freescale.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

commit: 7260042b2d0397e7a8735ca47cd7839a5bb1210b [log] [tgz]
author: Lee Nipper <lee.nipper@gmail.com> Mon Jul 19 14:11:24 2010 +0800
committer: Herbert Xu <herbert@gondor.apana.org.au> Mon Jul 19 14:11:24 2010 +0800
tree: da92181f60f67f1e82378e59edfd13def6a51fe7
parent: 2716fbf63ee39eadc1aa9b3841b20f75b99a9bc3 [diff] [blame]
diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
index 637c105..bd78acf 100644
--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c

@@ -1183,10 +1183,14 @@
 				/* Copy part of this segment */
 				ignore = skip - offset;
 				len = miter.length - ignore;
+				if (boffset + len > buflen)
+					len = buflen - boffset;
 				memcpy(buf + boffset, miter.addr + ignore, len);
 			} else {
-				/* Copy all of this segment */
+				/* Copy all of this segment (up to buflen) */
 				len = miter.length;
+				if (boffset + len > buflen)
+					len = buflen - boffset;
 				memcpy(buf + boffset, miter.addr, len);
 			}
 			boffset += len;
commit	7260042b2d0397e7a8735ca47cd7839a5bb1210b	[log] [tgz]
author	Lee Nipper <lee.nipper@gmail.com>	Mon Jul 19 14:11:24 2010 +0800
committer	Herbert Xu <herbert@gondor.apana.org.au>	Mon Jul 19 14:11:24 2010 +0800
tree	da92181f60f67f1e82378e59edfd13def6a51fe7
parent	2716fbf63ee39eadc1aa9b3841b20f75b99a9bc3 [diff] [blame]