Received: with ECARTIS (v1.0.0; list netdev); Wed, 21 Jul 2004 15:02:39 -0700 (PDT) Received: from mx1.redhat.com (mx1.redhat.com [66.187.233.31]) by oss.sgi.com (8.13.0/8.13.0) with ESMTP id i6LM2W1V013792 for ; Wed, 21 Jul 2004 15:02:33 -0700 Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.12.10/8.12.10) with ESMTP id i6LM2Je1016031; Wed, 21 Jul 2004 18:02:20 -0400 Received: from devserv.devel.redhat.com (devserv.devel.redhat.com [172.16.58.1]) by int-mx1.corp.redhat.com (8.11.6/8.11.6) with ESMTP id i6LM2Ja13428; Wed, 21 Jul 2004 18:02:19 -0400 Received: from cheetah.davemloft.net (localhost.localdomain [127.0.0.1]) by devserv.devel.redhat.com (8.12.11/8.12.10) with SMTP id i6LM1gEq032154; Wed, 21 Jul 2004 18:01:42 -0400 Date: Wed, 21 Jul 2004 14:58:15 -0700 From: "David S. Miller" To: Herbert Xu Cc: jmorris@redhat.com, netdev@oss.sgi.com Subject: Re: [CRYPTO] Fix stack overrun in crypt() Message-Id: <20040721145815.307c5e39.davem@redhat.com> In-Reply-To: <20040715114840.GA1325@gondor.apana.org.au> References: <20040715114840.GA1325@gondor.apana.org.au> X-Mailer: Sylpheed version 0.9.12 (GTK+ 1.2.10; sparc-unknown-linux-gnu) X-Face: "_;p5u5aPsO,_Vsx"^v-pEq09'CU4&Dc1$fQExov$62l60cgCc%FnIwD=.UF^a>?5'9Kn[;433QFVV9M..2eN.@4ZWPGbdi<=?[:T>y?SD(R*-3It"Vj:)"dP Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-archive-position: 7069 X-ecartis-version: Ecartis v1.0.0 Sender: netdev-bounce@oss.sgi.com Errors-to: netdev-bounce@oss.sgi.com X-original-sender: davem@redhat.com Precedence: bulk X-list: netdev Content-Length: 722 Lines: 20 On Thu, 15 Jul 2004 21:48:40 +1000 Herbert Xu wrote: > The stack allocation in crypt() is bogus as whether tmp_src/tmp_dst > is used is determined by factors unrelated to nbytes and > src->length/dst->length. > > Since the condition for whether tmp_src/tmp_dst are used is very > complex, let's allocate them always instead of guessing. > > This fixes a number of weird crashes including those AES crashes > that people have been seeing with the 2.4 backport + ipt_conntrack. Applied, thanks Herbert. > PS I think someone should double-check the logic in the scatterwalk > stuff, especially the whichbuf bits. I've looked at this before, when it went in, but I'll double- check it now.