The function get_cipher_desc() may return NULL if the cipher type is invalid or unsupported. In fill_sg_out(), the return value is used without any checks, which could lead to a NULL pointer dereference.
This patch adds a DEBUG_NET_WARN_ON_ONCE check to ensure that cipher_desc is valid and offloadable before proceeding. This prevents potential crashes and provides a clear warning in debug builds.
Fixes: 8db44ab26beb ("tls: rename tls_cipher_size_desc to tls_cipher_desc") Cc: stable@vger.kernel.org # 6.6+ Signed-off-by: Wentao Liang vulab@iscas.ac.cn --- net/tls/tls_device_fallback.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/net/tls/tls_device_fallback.c b/net/tls/tls_device_fallback.c index f9e3d3d90dcf..0f93a0833ec2 100644 --- a/net/tls/tls_device_fallback.c +++ b/net/tls/tls_device_fallback.c @@ -306,6 +306,7 @@ static void fill_sg_out(struct scatterlist sg_out[3], void *buf, { const struct tls_cipher_desc *cipher_desc = get_cipher_desc(tls_ctx->crypto_send.info.cipher_type); + DEBUG_NET_WARN_ON_ONCE(!cipher_desc || !cipher_desc->offloadable);
sg_set_buf(&sg_out[0], dummy_buf, sync_size); sg_set_buf(&sg_out[1], nskb->data + tcp_payload_offset, payload_len);
…
This patch adds a DEBUG_NET_WARN_ON_ONCE check …
See also: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Docu...
Would you like to append parentheses to any function names?
Regards, Markus
On Wed, 12 Feb 2025 10:53:50 +0800 Wentao Liang wrote:
The function get_cipher_desc() may return NULL if the cipher type is invalid or unsupported. In fill_sg_out(), the return value is used without any checks, which could lead to a NULL pointer dereference.
This patch adds a DEBUG_NET_WARN_ON_ONCE check to ensure that cipher_desc is valid and offloadable before proceeding. This prevents potential crashes and provides a clear warning in debug builds.
Does not make any sense, the state is validated during configuration.
linux-stable-mirror@lists.linaro.org
-
Jakub Kicinski -
Markus Elfring -
Wentao Liang