This commit fixes missing guards for size of memcpy,
it is needed to prevent faulty access when incorrect length
passed from the user.
Fixes: 3b78aa7b2317 ("crypto/qat: refactor asymmetric crypto functions")
Signed-off-by: Arek Kusztal <arkadiuszx.kusz...@intel.com>
---
drivers/crypto/qat/qat_asym.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/crypto/qat/qat_asym.c b/drivers/crypto/qat/qat_asym.c
index 82a0450aed..cad04e05b5 100644
--- a/drivers/crypto/qat/qat_asym.c
+++ b/drivers/crypto/qat/qat_asym.c
@@ -248,6 +248,10 @@ modexp_collect(struct rte_crypto_asym_op *asym_op,
uint32_t alg_bytesize = cookie->alg_bytesize;
uint8_t *modexp_result = asym_op->modex.result.data;
+ if (n.length > alg_bytesize) {
+ QAT_LOG(ERR, "Incorrect length of modexp modulus");
+ return RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+ }
rte_memcpy(modexp_result,
cookie->output_array[0] + alg_bytesize
- n.length, n.length);
@@ -304,6 +308,10 @@ modinv_collect(struct rte_crypto_asym_op *asym_op,
uint8_t *modinv_result = asym_op->modinv.result.data;
uint32_t alg_bytesize = cookie->alg_bytesize;
+ if (n.length > alg_bytesize) {
+ QAT_LOG(ERR, "Incorrect length of modinv modulus");
+ return RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+ }
rte_memcpy(modinv_result + (asym_op->modinv.result.length
- n.length),
cookie->output_array[0] + alg_bytesize
--
2.13.6
