crypto: af_alg - Cap AEAD AD length to 0x80000000

In order to prevent arithmetic overflows when checking the TX
buffer size, cap the associated data length to 0x80000000.

Reported-by: Yiming Qian <yimingqian591@gmail.com>
Fixes: 400c40cf78da ("crypto: algif - add AEAD support")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index fce0b87c2b652165cd9902e2ff7e00bc174e9025..48c53f488e0fd30818e72439fe0c0d7e4cee1432 100644 (file)
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -584,6 +584,8 @@ static int af_alg_cmsg_send(struct msghdr *msg, struct af_alg_control *con)
                        if (cmsg->cmsg_len < CMSG_LEN(sizeof(u32)))
                                return -EINVAL;
                        con->aead_assoclen = *(u32 *)CMSG_DATA(cmsg);
+                       if (con->aead_assoclen >= 0x80000000u)
+                               return -EINVAL;
                        break;
 
                default: