Received: with ECARTIS (v1.0.0; list netdev); Wed, 21 Jul 2004 15:06:36 -0700 (PDT) Received: from mx1.redhat.com (mx1.redhat.com [66.187.233.31]) by oss.sgi.com (8.13.0/8.13.0) with ESMTP id i6LM6VjD014144 for ; Wed, 21 Jul 2004 15:06:31 -0700 Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.12.10/8.12.10) with ESMTP id i6LM6Oe1016828; Wed, 21 Jul 2004 18:06:24 -0400 Received: from devserv.devel.redhat.com (devserv.devel.redhat.com [172.16.58.1]) by int-mx1.corp.redhat.com (8.11.6/8.11.6) with ESMTP id i6LM6Oa14366; Wed, 21 Jul 2004 18:06:24 -0400 Received: from cheetah.davemloft.net (localhost.localdomain [127.0.0.1]) by devserv.devel.redhat.com (8.12.11/8.12.10) with SMTP id i6LM5k9J002389; Wed, 21 Jul 2004 18:05:47 -0400 Date: Wed, 21 Jul 2004 15:02:19 -0700 From: "David S. Miller" To: Herbert Xu Cc: jmorris@redhat.com, netdev@oss.sgi.com Subject: Re: [CRYPTO] Fix stack overrun in crypt() Message-Id: <20040721150219.18b7b1f9.davem@redhat.com> In-Reply-To: <20040715114840.GA1325@gondor.apana.org.au> References: <20040715114840.GA1325@gondor.apana.org.au> X-Mailer: Sylpheed version 0.9.12 (GTK+ 1.2.10; sparc-unknown-linux-gnu) X-Face: "_;p5u5aPsO,_Vsx"^v-pEq09'CU4&Dc1$fQExov$62l60cgCc%FnIwD=.UF^a>?5'9Kn[;433QFVV9M..2eN.@4ZWPGbdi<=?[:T>y?SD(R*-3It"Vj:)"dP Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-archive-position: 7070 X-ecartis-version: Ecartis v1.0.0 Sender: netdev-bounce@oss.sgi.com Errors-to: netdev-bounce@oss.sgi.com X-original-sender: davem@redhat.com Precedence: bulk X-list: netdev Content-Length: 774 Lines: 23 On Thu, 15 Jul 2004 21:48:40 +1000 Herbert Xu wrote: > PS I think someone should double-check the logic in the scatterwalk > stuff, especially the whichbuf bits. The goal of scatterwalk_whichbuf() is to use the temporary buffer if we are walking over a page boundary. We can use walk->data, and thus directly the page involved, if we do not cross such a boundary. The test is that all of the following conditions pass: 1) nbytes is <= walk->len_this_page When scatterwalk_start() is invoked, walk->len_this_page is set to the minimum of the remaining scatterlist segment length and the remaining bytes in that page itself. 2) walk->data + nbytes does not straddle a PAGE_CACHE_SIZE boundary This looks all fine to me.