From: Aarnav JP <[email protected]>
Add upper-bound checks before memcpy into encr_key[32]
in roc_se_ciph_key_set() to prevent buffer overflow into
adjacent encr_iv[16]. Covers all write paths including
AES-DOCSISBPI and DES-DOCSISBPI branches that bypass
the generic copy via goto.
Fixes: 5e076b609f2a ("common/cnxk: add SE set key for crypto")
Cc: [email protected]
Signed-off-by: Aarnav JP <[email protected]>
---
drivers/common/cnxk/roc_se.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/drivers/common/cnxk/roc_se.c b/drivers/common/cnxk/roc_se.c
index d841a926a4..1cec536169 100644
--- a/drivers/common/cnxk/roc_se.c
+++ b/drivers/common/cnxk/roc_se.c
@@ -545,12 +545,22 @@ roc_se_ciph_key_set(struct roc_se_ctx *se_ctx,
roc_se_cipher_type type, const ui
* less than 128. Pass it as regular AES-CBC cipher to CPT, but
keep type in
* se_ctx as AES_DOCSISBPI to skip block size checks in
instruction preparation.
*/
+ if (key_len > sizeof(fctx->enc.encr_key)) {
+ plt_err("Cipher key length %u exceeds max %zu", key_len,
+ sizeof(fctx->enc.encr_key));
+ return -1;
+ }
cpt_ciph_aes_key_type_set(fctx, key_len);
fctx->enc.enc_cipher = ROC_SE_AES_CBC;
memcpy(fctx->enc.encr_key, key, key_len);
goto success;
case ROC_SE_DES_DOCSISBPI:
/* See case ROC_SE_DES3_CBC: for explanation */
+ if (key_len * 3 > sizeof(fctx->enc.encr_key)) {
+ plt_err("DES-DOCSISBPI key length %u exceeds max %zu",
key_len,
+ sizeof(fctx->enc.encr_key) / 3);
+ return -1;
+ }
for (i = 0; i < 3; i++)
memcpy(fctx->enc.encr_key + key_len * i, key, key_len);
/*
@@ -628,6 +638,11 @@ roc_se_ciph_key_set(struct roc_se_ctx *se_ctx,
roc_se_cipher_type type, const ui
if (se_ctx->hash_type != ROC_SE_GMAC_TYPE)
fctx->enc.enc_cipher = type;
+ if (key_len > sizeof(fctx->enc.encr_key)) {
+ plt_err("Cipher key length %u exceeds max %zu", key_len,
+ sizeof(fctx->enc.encr_key));
+ return -1;
+ }
memcpy(fctx->enc.encr_key, key, key_len);
success:
--
2.34.1
