From: Herbert Xu <herbert@gondor.apana.org.au>
Date: Tue, 5 May 2026 09:02:45 +0000 (+0800)
Subject: crypto: af_alg - Cap AEAD AD length to 0x80000000
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=e4c06479d7059888adf2f22bc1ebcf053bf691a2;p=thirdparty%2Flinux.git

crypto: af_alg - Cap AEAD AD length to 0x80000000

In order to prevent arithmetic overflows when checking the TX
buffer size, cap the associated data length to 0x80000000.

Reported-by: Yiming Qian <yimingqian591@gmail.com>
Fixes: 400c40cf78da ("crypto: algif - add AEAD support")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---

diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index fce0b87c2b652..48c53f488e0fd 100644
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -584,6 +584,8 @@ static int af_alg_cmsg_send(struct msghdr *msg, struct af_alg_control *con)
 			if (cmsg->cmsg_len < CMSG_LEN(sizeof(u32)))
 				return -EINVAL;
 			con->aead_assoclen = *(u32 *)CMSG_DATA(cmsg);
+			if (con->aead_assoclen >= 0x80000000u)
+				return -EINVAL;
 			break;
 
 		default: