crypto: talitos - fix bug in sg_copy_end_to_buffer
authorLee Nipper <lee.nipper@gmail.com>
Mon, 19 Jul 2010 06:11:24 +0000 (14:11 +0800)
committerHerbert Xu <herbert@gondor.apana.org.au>
Mon, 19 Jul 2010 06:11:24 +0000 (14:11 +0800)
In function sg_copy_end_to_buffer, too much data
is copied when a segment in the scatterlist
has .length greater than the requested copy length.

This patch adds the limit checks to fix this bug of over copying,
which affected only the ahash algorithms.

Signed-off-by: Lee Nipper <lee.nipper@gmail.com>
Acked-by: Kim Phillips <kim.phillips@freescale.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
drivers/crypto/talitos.c

index 637c105f53d262f904230c77b5bc5a5a5234fda7..bd78acf3c365aa1910a467f3fce882fa26c84841 100644 (file)
@@ -1183,10 +1183,14 @@ static size_t sg_copy_end_to_buffer(struct scatterlist *sgl, unsigned int nents,
                                /* Copy part of this segment */
                                ignore = skip - offset;
                                len = miter.length - ignore;
+                               if (boffset + len > buflen)
+                                       len = buflen - boffset;
                                memcpy(buf + boffset, miter.addr + ignore, len);
                        } else {
-                               /* Copy all of this segment */
+                               /* Copy all of this segment (up to buflen) */
                                len = miter.length;
+                               if (boffset + len > buflen)
+                                       len = buflen - boffset;
                                memcpy(buf + boffset, miter.addr, len);
                        }
                        boffset += len;