[v8,3/5] rxrpc: check return value of skb_to_sgvec always
diff mbox

Message ID 20170511194134.31183-4-Jason@zx2c4.com
State New
Headers show

Commit Message

Jason A. Donenfeld May 11, 2017, 7:41 p.m. UTC
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Cc: David Howells <dhowells@redhat.com>
---
 net/rxrpc/rxkad.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

Comments

David Howells May 15, 2017, 1:11 p.m. UTC | #1
Jason A. Donenfeld <Jason@zx2c4.com> wrote:

> +	if (unlikely(skb_to_sgvec(skb, sg, offset, 8) < 0))
> +		goto nomem;
> ...
> +	if (unlikely(skb_to_sgvec(skb, sg, offset, len) < 0)) {
> +		if (sg != _sg)
> +			kfree(sg);
> +		goto nomem;

skb_to_sgvec() can return -EMSGSIZE in some circumstances.  You shouldn't
return -ENOMEM here in such a case.

David
Jason A. Donenfeld May 16, 2017, 10:11 p.m. UTC | #2
On Mon, May 15, 2017 at 3:11 PM, David Howells <dhowells@redhat.com> wrote:
> skb_to_sgvec() can return -EMSGSIZE in some circumstances.  You shouldn't
> return -ENOMEM here in such a case.

Noted. I'll fix this up for the next round.

Patch
diff mbox

diff --git a/net/rxrpc/rxkad.c b/net/rxrpc/rxkad.c
index 1bb9b2ccc267..ecab9334e3c1 100644
--- a/net/rxrpc/rxkad.c
+++ b/net/rxrpc/rxkad.c
@@ -227,7 +227,9 @@  static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
 	len &= ~(call->conn->size_align - 1);
 
 	sg_init_table(sg, nsg);
-	skb_to_sgvec(skb, sg, 0, len);
+	err = skb_to_sgvec(skb, sg, 0, len);
+	if (unlikely(err < 0))
+		goto out;
 	skcipher_request_set_crypt(req, sg, sg, len, iv.x);
 	crypto_skcipher_encrypt(req);
 
@@ -342,7 +344,8 @@  static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
 		goto nomem;
 
 	sg_init_table(sg, nsg);
-	skb_to_sgvec(skb, sg, offset, 8);
+	if (unlikely(skb_to_sgvec(skb, sg, offset, 8) < 0))
+		goto nomem;
 
 	/* start the decryption afresh */
 	memset(&iv, 0, sizeof(iv));
@@ -434,7 +437,11 @@  static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
 	}
 
 	sg_init_table(sg, nsg);
-	skb_to_sgvec(skb, sg, offset, len);
+	if (unlikely(skb_to_sgvec(skb, sg, offset, len) < 0)) {
+		if (sg != _sg)
+			kfree(sg);
+		goto nomem;
+	}
 
 	/* decrypt from the session key */
 	token = call->conn->params.key->payload.data[0];