On Mon, Sep 17, 2018 at 12:52:44PM -0700, Tadeusz Struk wrote: > On 9/17/18 10:24 AM, Dan Aloni wrote: > > The encryption mode of pkcs1pad never uses out_sg and out_buf, so > > there's no need to allocate the buffer, which presently is not even > > being freed. > > It is used and freed in pkcs1pad_decrypt_complete(). True, but how is pkcs1pad_decrypt_complete() reachable from the encryption path of the code? Or, is there a hidden API assumption that the alg.decrypt callback will be called for every alg.encrypt call? It does not seem right. Same question for pkcs1pad_verify_complete(), which is the only other free path for this field. -- Dan Aloni