diff options
| author | David S. Miller <davem@davemloft.net> | 2025-05-19 12:10:43 +0100 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2025-05-19 12:10:43 +0100 |
| commit | a8ae8a0e848e3506c95e45e7cb6e640502495f1a (patch) | |
| tree | c77e56428bfa62907683721941becee4ffa3b9f6 /drivers/net/ovpn/crypto_aead.c | |
| parent | b8fa067c4a76e9a28f2003a50ff9b60f00b11168 (diff) | |
| parent | 40d48527a587b5c2bd4b7ba00974732a93052cae (diff) | |
Merge tag 'ovpn-net-next-20250515' of https://github.com/OpenVPN/ovpn-net-next
Antonio Quartulli says:
====================
ovpn: pull request for net-next: ovpn 2025-05-15
this is a new version of the previous pull request.
These time I have removed the fixes that we are still discussing,
so that we don't hold the entire series back.
There is a new fix though: it's about properly checking the return value
of skb_to_sgvec_nomark(). I spotted the issue while testing pings larger
than the iface's MTU on a TCP VPN connection.
I have added various Closes and Link tags where applicable, so
that we have references to GitHub tickets and other public discussions.
Since I have resent the PR, I have also added Andrew's Reviewed-by to
the first patch.
Please pull or let me know if something should be changed!
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Patchset highlights:
- update MAINTAINERS entry for ovpn
- extend selftest with more cases
- avoid crash in selftest in case of getaddrinfo() failure
- fix ndo_start_xmit return value on error
- set ignore_df flag for IPv6 packets
- drop useless reg_state check in keepalive worker
- retain skb's dst when entering xmit function
- fix check on skb_to_sgvec_nomark() return value
Diffstat (limited to 'drivers/net/ovpn/crypto_aead.c')
| -rw-r--r-- | drivers/net/ovpn/crypto_aead.c | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/drivers/net/ovpn/crypto_aead.c b/drivers/net/ovpn/crypto_aead.c index 74ee639ac868..2cca759feffa 100644 --- a/drivers/net/ovpn/crypto_aead.c +++ b/drivers/net/ovpn/crypto_aead.c @@ -88,12 +88,15 @@ int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks, /* build scatterlist to encrypt packet payload */ ret = skb_to_sgvec_nomark(skb, sg + 1, 0, skb->len); - if (unlikely(nfrags != ret)) - return -EINVAL; + if (unlikely(ret < 0)) { + netdev_err(peer->ovpn->dev, + "encrypt: cannot map skb to sg: %d\n", ret); + return ret; + } /* append auth_tag onto scatterlist */ __skb_push(skb, tag_size); - sg_set_buf(sg + nfrags + 1, skb->data, tag_size); + sg_set_buf(sg + ret + 1, skb->data, tag_size); /* obtain packet ID, which is used both as a first * 4 bytes of nonce and last 4 bytes of associated data. @@ -201,11 +204,14 @@ int ovpn_aead_decrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks, /* build scatterlist to decrypt packet payload */ ret = skb_to_sgvec_nomark(skb, sg + 1, payload_offset, payload_len); - if (unlikely(nfrags != ret)) - return -EINVAL; + if (unlikely(ret < 0)) { + netdev_err(peer->ovpn->dev, + "decrypt: cannot map skb to sg: %d\n", ret); + return ret; + } /* append auth_tag onto scatterlist */ - sg_set_buf(sg + nfrags + 1, skb->data + OVPN_AAD_SIZE, tag_size); + sg_set_buf(sg + ret + 1, skb->data + OVPN_AAD_SIZE, tag_size); /* iv may be required by async crypto */ ovpn_skb_cb(skb)->iv = kmalloc(OVPN_NONCE_SIZE, GFP_ATOMIC); |