crypto: testmgr - fix out of bound read in __test_aead()

__test_aead() reads MAX_IVLEN bytes from template[i].iv, but the
actual length of the initialisation vector can be shorter.
The length of the IV is already calculated earlier in the
function. Let's just reuses that. Also the IV length is currently
calculated several time for no reason. Let's fix that too.
This fix an out-of-bound error detected by KASan.

Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index cde6a2983937317fd790b9d8139dd09045117208..54681838da6c35023915da4da2d549f16987217d 100644 (file)
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -613,6 +613,8 @@ static int __test_aead(struct crypto_aead *tfm, int enc,
        aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
                                  tcrypt_complete, &result);
 
+       iv_len = crypto_aead_ivsize(tfm);
+
        for (i = 0, j = 0; i < tcount; i++) {
                if (template[i].np)
                        continue;
@@ -633,7 +635,6 @@ static int __test_aead(struct crypto_aead *tfm, int enc,
 
                memcpy(input, template[i].input, template[i].ilen);
                memcpy(assoc, template[i].assoc, template[i].alen);
-               iv_len = crypto_aead_ivsize(tfm);
                if (template[i].iv)
                        memcpy(iv, template[i].iv, iv_len);
                else
@@ -742,7 +743,7 @@ static int __test_aead(struct crypto_aead *tfm, int enc,
                j++;
 
                if (template[i].iv)
-                       memcpy(iv, template[i].iv, MAX_IVLEN);
+                       memcpy(iv, template[i].iv, iv_len);
                else
                        memset(iv, 0, MAX_IVLEN);