diff options
author | Jakub Kicinski <kuba@kernel.org> | 2022-08-09 19:55:44 +0200 |
---|---|---|
committer | Jakub Kicinski <kuba@kernel.org> | 2022-08-11 07:53:25 +0200 |
commit | d800a7b3577bfb783481b02865d8775a760212a7 (patch) | |
tree | 69bbc9081eb324017b05e80621123de8a7645751 | |
parent | tls: rx: device: bound the frag walk (diff) | |
download | linux-d800a7b3577bfb783481b02865d8775a760212a7.tar.xz linux-d800a7b3577bfb783481b02865d8775a760212a7.zip |
tls: rx: device: don't try to copy too much on detach
Another device offload bug, we use the length of the output
skb as an indication of how much data to copy. But that skb
is sized to offset + record length, and we start from offset.
So we end up double-counting the offset which leads to
skb_copy_bits() returning -EFAULT.
Reported-by: Tariq Toukan <tariqt@nvidia.com>
Fixes: 84c61fe1a75b ("tls: rx: do not use the standard strparser")
Tested-by: Ran Rozenstein <ranro@nvidia.com>
Link: https://lore.kernel.org/r/20220809175544.354343-2-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-rw-r--r-- | net/tls/tls_strp.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/tls/tls_strp.c b/net/tls/tls_strp.c index f0b7c9122fba..9b79e334dbd9 100644 --- a/net/tls/tls_strp.c +++ b/net/tls/tls_strp.c @@ -41,7 +41,7 @@ static struct sk_buff *tls_strp_msg_make_copy(struct tls_strparser *strp) struct sk_buff *skb; int i, err, offset; - skb = alloc_skb_with_frags(0, strp->anchor->len, TLS_PAGE_ORDER, + skb = alloc_skb_with_frags(0, strp->stm.full_len, TLS_PAGE_ORDER, &err, strp->sk->sk_allocation); if (!skb) return NULL; |