On Mon, Apr 21, 2025 at 01:51:06PM +0800, Su Hui wrote:
>
> @@ -433,7 +434,7 @@ static inline struct aead_request
> *aead_request_alloc(struct crypto_aead *tfm,
> {
> struct aead_request *req;
>
> - req = kmalloc(sizeof(*req) + crypto_aead_reqsize(tfm), gfp);
> + req = kmalloc(size_add(sizeof(*req), crypto_aead_reqsize(tfm)), gfp);
This is just wrong. You should fail the allocation altogether
rather than proceeding with a length that is insufficient.
However, reqsize shouldn't be anywhere near overflowing in the
first place. If you're truly worried about this, you should
change the algorithm registration code to check whether reqsize
is sane.
And that needs to wait until the algorithms are fixed to not use
dynamic reqsizes.
Cheers,
--
Email: Herbert Xu <herb...@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
