From f69af5c3a887b65da440726968d7c68218a347d6 Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Tue, 6 May 2008 14:01:23 +0800 Subject: [PATCH] CRYPTO: api: Fix scatterwalk_sg_chain [CRYPTO] api: Fix scatterwalk_sg_chain [ Upstream commit: 8ec970d8561abb5645d4602433b772e268c96d05 ] When I backed out of using the generic sg chaining (as it isn't currently portable) and introduced scatterwalk_sg_chain/scatterwalk_sg_next I left out the sg_is_last check in the latter. This causes it to potentially dereference beyond the end of the sg array. As most uses of scatterwalk_sg_next are bound by an overall length, this only affected the chaining code in authenc and eseqiv. Thanks to Patrick McHardy for identifying this problem. This patch also clears the "last" bit on the head of the chained list as it's no longer last. This also went missing in scatterwalk_sg_chain and is present in sg_chain. Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman --- include/crypto/scatterwalk.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/crypto/scatterwalk.h b/include/crypto/scatterwalk.h index 224658b8d806..833d208c25d6 100644 --- a/include/crypto/scatterwalk.h +++ b/include/crypto/scatterwalk.h @@ -57,10 +57,14 @@ static inline void scatterwalk_sg_chain(struct scatterlist *sg1, int num, struct scatterlist *sg2) { sg_set_page(&sg1[num - 1], (void *)sg2, 0, 0); + sg1[num - 1].page_link &= ~0x02; } static inline struct scatterlist *scatterwalk_sg_next(struct scatterlist *sg) { + if (sg_is_last(sg)) + return NULL; + return (++sg)->length ? sg : (void *)sg_page(sg); } -- 2.39.5