tls: prevent bad memory access in tls_is_sk_tx_device_offloaded()

Greg Kroah-Hartman Wed, 24 Apr 2019 10:51:16 -0700

From: Jakub Kicinski <[email protected]>

[ Upstream commit b4f47f3848eb70986f75d06112af7b48b7f5f462 ]


Unlike '&&' operator, the '&' does not have short-circuit
evaluation semantics.  IOW both sides of the operator always
get evaluated.  Fix the wrong operator in
tls_is_sk_tx_device_offloaded(), which would lead to
out-of-bounds access for for non-full sockets.

Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload")
Signed-off-by: Jakub Kicinski <[email protected]>
Reviewed-by: Dirk van der Merwe <[email protected]>
Reviewed-by: Simon Horman <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
 include/net/tls.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/net/tls.h
+++ b/include/net/tls.h
@@ -317,7 +317,7 @@ tls_validate_xmit_skb(struct sock *sk, s
 static inline bool tls_is_sk_tx_device_offloaded(struct sock *sk)
 {
 #ifdef CONFIG_SOCK_VALIDATE_XMIT
-       return sk_fullsock(sk) &
+       return sk_fullsock(sk) &&
               (smp_load_acquire(&sk->sk_validate_xmit_skb) ==
               &tls_validate_xmit_skb);
 #else

[PATCH 4.19 17/96] net/tls: prevent bad memory access in tls_is_sk_tx_device_offloaded()

Reply via email to