Commit 0a84874c authored by Herbert Xu's avatar Herbert Xu
Browse files

crypto: shash - Fix buffer overrun in import function 



Only set the partial block length to zero if the algorithm is
block-only.  Otherwise the descriptor context could be empty,
e.g., for digest_null.

Reported-by: default avatar <syzbot+4851c19615d35f0e4d68@syzkaller.appspotmail.com>
Fixes: 7650f826 ("crypto: shash - Handle partial blocks in API")
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
parent 2297554f

crypto/shash.c

+5 −4
Original line number Diff line number Diff line
@@ -257,12 +257,13 @@ static int __crypto_shash_import(struct shash_desc *desc, const void *in, 
	if (crypto_shash_get_flags(tfm) & CRYPTO_TFM_NEED_KEY)

		return -ENOKEY;



	ss = crypto_shash_statesize(tfm);

	if (crypto_shash_block_only(tfm)) {

		plen = crypto_shash_blocksize(tfm) + 1;

		ss -= plen;

		descsize = crypto_shash_descsize(tfm);

	ss = crypto_shash_statesize(tfm);

		buf[descsize - 1] = 0;

	if (crypto_shash_block_only(tfm))

		ss -= plen;

	}

	if (!import) {

		memcpy(buf, in, ss);

		return 0;