On Thu, Aug 15, 2024 at 09:06:30AM +0300, Dan Carpenter wrote: > > However we're subtracting RTA_ALIGN() not rta->rta_len so there is a chance that > this subtraction can make keylen negative (but it's unsigned so a large positive > value). Both keylen and rta->rta_len would need have to not be multples of 4. > For example, if they were both set to 9. > > (I'm not a domain expert so maybe here is checking for % 4 at a different level). > > A high positive value of keylen would lead to memory corruption later in the > function. Good catch. Those RTA_ALIGNs should be removed per the generic authenc code. The same bug exists in drivers/crypto/marvell/octeontx*, could you please send patches for all of these? Thanks, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
