From: Tomasz Jozwiak Date: Mon, 22 Jan 2018 16:28:03 +0000 (+0100) Subject: crypto/qat: fix out-of-bounds access X-Git-Url: http://git.droids-corp.org/?a=commitdiff_plain;h=8aa8ee9d2d87ba1a0560cfdbe936c3fd7c5dc12b;p=dpdk.git crypto/qat: fix out-of-bounds access This commit fixes - bpi_cipher_encrypt to prevent before 'array subscript is above array bounds' error - bpi_cipher_decrypt to prevent before 'array subscript is above array bounds' error Fixes: d18ab45f7654 ("crypto/qat: support DOCSIS BPI mode") Cc: stable@dpdk.org Signed-off-by: Tomasz Jozwiak Acked-by: Fiona Trahe --- diff --git a/drivers/crypto/qat/qat_crypto.c b/drivers/crypto/qat/qat_crypto.c index cff709ae52..9d8dc77aba 100644 --- a/drivers/crypto/qat/qat_crypto.c +++ b/drivers/crypto/qat/qat_crypto.c @@ -40,6 +40,10 @@ #include "adf_transport_access_macros.h" #define BYTE_LENGTH 8 +/* bpi is only used for partial blocks of DES and AES + * so AES block len can be assumed as max len for iv, src and dst + */ +#define BPI_MAX_ENCR_IV_LEN ICP_QAT_HW_AES_BLK_SZ static int qat_is_cipher_alg_supported(enum rte_crypto_cipher_algorithm algo, @@ -92,16 +96,16 @@ bpi_cipher_encrypt(uint8_t *src, uint8_t *dst, { EVP_CIPHER_CTX *ctx = (EVP_CIPHER_CTX *)bpi_ctx; int encrypted_ivlen; - uint8_t encrypted_iv[16]; - int i; + uint8_t encrypted_iv[BPI_MAX_ENCR_IV_LEN]; + uint8_t *encr = encrypted_iv; /* ECB method: encrypt the IV, then XOR this with plaintext */ if (EVP_EncryptUpdate(ctx, encrypted_iv, &encrypted_ivlen, iv, ivlen) <= 0) goto cipher_encrypt_err; - for (i = 0; i < srclen; i++) - *(dst+i) = *(src+i)^(encrypted_iv[i]); + for (; srclen != 0; --srclen, ++dst, ++src, ++encr) + *dst = *src ^ *encr; return 0; @@ -121,16 +125,16 @@ bpi_cipher_decrypt(uint8_t *src, uint8_t *dst, { EVP_CIPHER_CTX *ctx = (EVP_CIPHER_CTX *)bpi_ctx; int encrypted_ivlen; - uint8_t encrypted_iv[16]; - int i; + uint8_t encrypted_iv[BPI_MAX_ENCR_IV_LEN]; + uint8_t *encr = encrypted_iv; /* ECB method: encrypt (not decrypt!) the IV, then XOR with plaintext */ if (EVP_EncryptUpdate(ctx, encrypted_iv, &encrypted_ivlen, iv, ivlen) <= 0) goto cipher_decrypt_err; - for (i = 0; i < srclen; i++) - *(dst+i) = *(src+i)^(encrypted_iv[i]); + for (; srclen != 0; --srclen, ++dst, ++src, ++encr) + *dst = *src ^ *encr; return 0;