[PATCH v2 net-next 05/12] tls: Avoid copying crypto_info again after cipher_type check.

Wed, 08 Nov 2017 05:40:17 -0800 

Avoid copying crypto_info again after cipher_type check
to avoid a TOCTOU exploits.
The temporary array on the stack is removed as we don't really need it

Fixes: 3c4d7559159b ('tls: kernel TLS support')
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
 net/tls/tls_main.c | 29 ++++++++++++-----------------
 1 file changed, 12 insertions(+), 17 deletions(-)

diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index 13427ee..ab1bd16 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -355,7 +355,7 @@ static int tls_getsockopt(struct sock *sk, int level, int 
optname,
 static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval,
                                unsigned int optlen)
 {
-       struct tls_crypto_info *crypto_info, tmp_crypto_info;
+       struct tls_crypto_info *crypto_info;
        struct tls_context *ctx = tls_get_ctx(sk);
        int rc = 0;
        int tx_conf;
@@ -365,36 +365,31 @@ static int do_tls_setsockopt_tx(struct sock *sk, char 
__user *optval,
                goto out;
        }
 
-       rc = copy_from_user(&tmp_crypto_info, optval, sizeof(*crypto_info));
+       crypto_info = &ctx->crypto_send;
+       /* Currently we don't support set crypto info more than one time */
+       if (TLS_CRYPTO_INFO_READY(crypto_info))
+               goto out;
+
+       rc = copy_from_user(crypto_info, optval, sizeof(*crypto_info));
        if (rc) {
                rc = -EFAULT;
                goto out;
        }
 
        /* check version */
-       if (tmp_crypto_info.version != TLS_1_2_VERSION) {
+       if (crypto_info->version != TLS_1_2_VERSION) {
                rc = -ENOTSUPP;
-               goto out;
+               goto err_crypto_info;
        }
 
-       /* get user crypto info */
-       crypto_info = &ctx->crypto_send;
-
-       /* Currently we don't support set crypto info more than one time */
-       if (TLS_CRYPTO_INFO_READY(crypto_info))
-               goto out;
-
-       switch (tmp_crypto_info.cipher_type) {
+       switch (crypto_info->cipher_type) {
        case TLS_CIPHER_AES_GCM_128: {
                if (optlen != sizeof(struct tls12_crypto_info_aes_gcm_128)) {
                        rc = -EINVAL;
                        goto out;
                }
-               rc = copy_from_user(
-                 crypto_info,
-                 optval,
-                 sizeof(struct tls12_crypto_info_aes_gcm_128));
-
+               rc = copy_from_user(crypto_info + 1, optval + 
sizeof(*crypto_info),
+                                   optlen - sizeof(*crypto_info));
                if (rc) {
                        rc = -EFAULT;
                        goto err_crypto_info;
-- 
1.8.3.1

Reply via email to