[PATCH 17/17] common/cnxk: add auth key len check in inbound SA

Thu, 11 Jun 2026 00:35:14 -0700 

From: Aarnav JP <[email protected]>

Add auth key length validation before memcpy in
cnxk_on_ipsec_inb_sa_create() to prevent caller-provided
keys from overflowing fixed-size in-struct buffers and
corrupting adjacent fields.

Fixes: 532963b80707 ("crypto/cnxk: move IPsec SA creation to common")
Cc: [email protected]

Signed-off-by: Aarnav JP <[email protected]>
---
 drivers/common/cnxk/cnxk_security.c | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/drivers/common/cnxk/cnxk_security.c 
b/drivers/common/cnxk/cnxk_security.c
index 6f46ad3276..228ff2781d 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -1199,22 +1199,33 @@ cnxk_on_ipsec_inb_sa_create(struct 
rte_security_ipsec_xform *ipsec,
                        break;
                case RTE_CRYPTO_AUTH_MD5_HMAC:
                case RTE_CRYPTO_AUTH_SHA1_HMAC:
-                       memcpy(in_sa->sha1_or_gcm.hmac_key, auth_key,
-                              auth_key_len);
-                       ctx_len = offsetof(struct roc_ie_on_inb_sa,
-                                          sha1_or_gcm.selector);
+                       if (auth_key_len > 
(int)sizeof(in_sa->sha1_or_gcm.hmac_key)) {
+                               plt_err("Auth key len %d exceeds max %zu for 
algo %u", auth_key_len,
+                                       sizeof(in_sa->sha1_or_gcm.hmac_key), 
auth_xform->auth.algo);
+                               return -EINVAL;
+                       }
+                       memcpy(in_sa->sha1_or_gcm.hmac_key, auth_key, 
auth_key_len);
+                       ctx_len = offsetof(struct roc_ie_on_inb_sa, 
sha1_or_gcm.selector);
                        break;
                case RTE_CRYPTO_AUTH_SHA256_HMAC:
                case RTE_CRYPTO_AUTH_SHA384_HMAC:
                case RTE_CRYPTO_AUTH_SHA512_HMAC:
+                       if (auth_key_len > (int)sizeof(in_sa->sha2.hmac_key)) {
+                               plt_err("Auth key len %d exceeds max %zu for 
algo %u", auth_key_len,
+                                       sizeof(in_sa->sha2.hmac_key), 
auth_xform->auth.algo);
+                               return -EINVAL;
+                       }
                        memcpy(in_sa->sha2.hmac_key, auth_key, auth_key_len);
-                       ctx_len = offsetof(struct roc_ie_on_inb_sa,
-                                          sha2.selector);
+                       ctx_len = offsetof(struct roc_ie_on_inb_sa, 
sha2.selector);
                        break;
                case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
+                       if (auth_key_len > (int)sizeof(in_sa->aes_xcbc.key)) {
+                               plt_err("Auth key len %d exceeds max %zu for 
algo %u", auth_key_len,
+                                       sizeof(in_sa->aes_xcbc.key), 
auth_xform->auth.algo);
+                               return -EINVAL;
+                       }
                        memcpy(in_sa->aes_xcbc.key, auth_key, auth_key_len);
-                       ctx_len = offsetof(struct roc_ie_on_inb_sa,
-                                          aes_xcbc.selector);
+                       ctx_len = offsetof(struct roc_ie_on_inb_sa, 
aes_xcbc.selector);
                        break;
                default:
                        plt_err("Unsupported auth algorithm %u", 
auth_xform->auth.algo);
-- 
2.34.1

Reply via email to