From 7260042b2d0397e7a8735ca47cd7839a5bb1210b Mon Sep 17 00:00:00 2001 From: Lee Nipper Date: Mon, 19 Jul 2010 14:11:24 +0800 Subject: [PATCH] crypto: talitos - fix bug in sg_copy_end_to_buffer In function sg_copy_end_to_buffer, too much data is copied when a segment in the scatterlist has .length greater than the requested copy length. This patch adds the limit checks to fix this bug of over copying, which affected only the ahash algorithms. Signed-off-by: Lee Nipper Acked-by: Kim Phillips Signed-off-by: Herbert Xu --- drivers/crypto/talitos.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c index 637c105f53d2..bd78acf3c365 100644 --- a/drivers/crypto/talitos.c +++ b/drivers/crypto/talitos.c @@ -1183,10 +1183,14 @@ static size_t sg_copy_end_to_buffer(struct scatterlist *sgl, unsigned int nents, /* Copy part of this segment */ ignore = skip - offset; len = miter.length - ignore; + if (boffset + len > buflen) + len = buflen - boffset; memcpy(buf + boffset, miter.addr + ignore, len); } else { - /* Copy all of this segment */ + /* Copy all of this segment (up to buflen) */ len = miter.length; + if (boffset + len > buflen) + len = buflen - boffset; memcpy(buf + boffset, miter.addr, len); } boffset += len;