crypto: testmgr - don't copy from source IV too much While the destination buffer 'iv' is MAX_IVLEN size, the source 'template[i].iv' could be smaller, thus memcpy may read read invalid memory. Use crypto_skcipher_ivsize() to get real ivsize and pass it to memcpy. Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

commit: 84cba178a3b88efe2668a9039f70abda072faa21 [log] [tgz]
author: Andrey Ryabinin <aryabinin@virtuozzo.com> Thu Sep 10 13:11:55 2015 +0300
committer: Herbert Xu <herbert@gondor.apana.org.au> Fri Sep 11 22:09:43 2015 +0800
tree: 4ae19b43c59091f110a1094c7de60cd5d249f026
parent: 9da75de030bb6e49475ef37c8495d07e98cfeb33 [diff]
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 35c2de1..fa18753 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c

@@ -940,6 +940,7 @@
 	char *xbuf[XBUFSIZE];
 	char *xoutbuf[XBUFSIZE];
 	int ret = -ENOMEM;
+	unsigned int ivsize = crypto_skcipher_ivsize(tfm);
 
 	if (testmgr_alloc_buf(xbuf))
 		goto out_nobuf;
@@ -975,7 +976,7 @@
 			continue;
 
 		if (template[i].iv)
-			memcpy(iv, template[i].iv, MAX_IVLEN);
+			memcpy(iv, template[i].iv, ivsize);
 		else
 			memset(iv, 0, MAX_IVLEN);
 
@@ -1051,7 +1052,7 @@
 			continue;
 
 		if (template[i].iv)
-			memcpy(iv, template[i].iv, MAX_IVLEN);
+			memcpy(iv, template[i].iv, ivsize);
 		else
 			memset(iv, 0, MAX_IVLEN);
commit	84cba178a3b88efe2668a9039f70abda072faa21	[log] [tgz]
author	Andrey Ryabinin <aryabinin@virtuozzo.com>	Thu Sep 10 13:11:55 2015 +0300
committer	Herbert Xu <herbert@gondor.apana.org.au>	Fri Sep 11 22:09:43 2015 +0800
tree	4ae19b43c59091f110a1094c7de60cd5d249f026
parent	9da75de030bb6e49475ef37c8495d07e98cfeb33 [diff]