From: Jakub Kicinski <jakub.kicinski@netronome.com>
Date: Tue, 9 Apr 2019 00:59:50 +0000 (-0700)
Subject: net/tls: prevent bad memory access in tls_is_sk_tx_device_offloaded()
X-Git-Tag: v4.19.37~82
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=785833b9eee027c0d31dfe96225e243f13110939;p=thirdparty%2Fkernel%2Fstable.git

net/tls: prevent bad memory access in tls_is_sk_tx_device_offloaded()

[ Upstream commit b4f47f3848eb70986f75d06112af7b48b7f5f462 ]

Unlike '&&' operator, the '&' does not have short-circuit
evaluation semantics.  IOW both sides of the operator always
get evaluated.  Fix the wrong operator in
tls_is_sk_tx_device_offloaded(), which would lead to
out-of-bounds access for for non-full sockets.

Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/include/net/tls.h b/include/net/tls.h
index 0a769cf2f5f3e..c423b7d0b6abc 100644
--- a/include/net/tls.h
+++ b/include/net/tls.h
@@ -317,7 +317,7 @@ tls_validate_xmit_skb(struct sock *sk, struct net_device *dev,
 static inline bool tls_is_sk_tx_device_offloaded(struct sock *sk)
 {
 #ifdef CONFIG_SOCK_VALIDATE_XMIT
-	return sk_fullsock(sk) &
+	return sk_fullsock(sk) &&
 	       (smp_load_acquire(&sk->sk_validate_xmit_skb) ==
 	       &tls_validate_xmit_skb);
 #else