Coverity pointed out that, if the final segment of the session key being
written is not a full segment, the loop could potentially read past the
end of the source buffer. Use RTE_MIN() to make sure to only copy as much
of the key as is left.
Coverity issue: 426432
Fixes: 6bc7f2cf6687 ("crypto/ionic: support sessions")
Signed-off-by: Andrew Boyer <andrew.bo...@amd.com>
---
drivers/crypto/ionic/ionic_crypto_main.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/crypto/ionic/ionic_crypto_main.c
b/drivers/crypto/ionic/ionic_crypto_main.c
index d4810e3617..9960dc3a6d 100644
--- a/drivers/crypto/ionic/ionic_crypto_main.c
+++ b/drivers/crypto/ionic/ionic_crypto_main.c
@@ -193,7 +193,7 @@ iocpt_session_write(struct iocpt_session_priv *priv,
};
struct iocpt_sess_control_cmd *cmd = &ctx.cmd.sess_control;
uint16_t key_offset;
- uint8_t key_segs, seg;
+ uint8_t key_segs, seg, seg_len;
int err;
key_segs = ((priv->key_len - 1) >> IOCPT_SESS_KEY_SEG_SHFT) + 1;
@@ -202,8 +202,9 @@ iocpt_session_write(struct iocpt_session_priv *priv,
ctx.pending_work = true;
key_offset = seg * cmd->key_seg_len;
- memcpy(cmd->key, &priv->key[key_offset],
- IOCPT_SESS_KEY_SEG_LEN);
+ seg_len = (uint8_t)RTE_MIN(priv->key_len - key_offset,
+ IOCPT_SESS_KEY_SEG_LEN);
+ memcpy(cmd->key, &priv->key[key_offset], seg_len);
cmd->key_seg_idx = seg;
/* Mark final segment */
--
2.17.1
