Skip to content

Commit 77d0096

Browse files
PlaidCatroxanan1996
authored andcommitted
crypto: algif_aead - Fix minimum RX size check for decryption
jira VULN-181881 cve-bf CVE-2026-31431 commit-author Herbert Xu <herbert@gondor.apana.org.au> commit 3d14bd4 The check for the minimum receive buffer size did not take the tag size into account during decryption. Fix this by adding the required extra length. Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com Reported-by: Daniel Pouzzner <douzzer@mega.nu> Fixes: d887c52 ("crypto: algif_aead - overhaul memory management") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit 3d14bd4) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
1 parent e312813 commit 77d0096

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

crypto/algif_aead.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -168,7 +168,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
168168
if (usedpages < outlen) {
169169
size_t less = outlen - usedpages;
170170

171-
if (used < less) {
171+
if (used < less + (ctx->enc ? 0 : as)) {
172172
err = -EINVAL;
173173
goto free;
174174
}

0 commit comments

Comments
 (0)