git: 1756d1cab3ce - main - ktls CBC decrypt: Avoid creating zero length iovec entries
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 30 Jun 2026 18:26:51 UTC
The branch main has been updated by jhb:
URL: https://cgit.FreeBSD.org/src/commit/?id=1756d1cab3ce28085eec94a45c557e1af265ccd0
commit 1756d1cab3ce28085eec94a45c557e1af265ccd0
Author: John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2026-06-30 18:11:29 +0000
Commit: John Baldwin <jhb@FreeBSD.org>
CommitDate: 2026-06-30 18:11:29 +0000
ktls CBC decrypt: Avoid creating zero length iovec entries
If an mbuf's length in the chain for an encrypted TLS record exactly
matches the remaining length of header bytes to skip, skip the mbuf
entirely rather than adding a zero-length iovec entry.
Sponsored by: Chelsio Communications
---
sys/opencrypto/ktls_ocf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys/opencrypto/ktls_ocf.c b/sys/opencrypto/ktls_ocf.c
index 87cbf0bd3311..81e130258747 100644
--- a/sys/opencrypto/ktls_ocf.c
+++ b/sys/opencrypto/ktls_ocf.c
@@ -500,7 +500,7 @@ ktls_ocf_tls_cbc_decrypt(struct ktls_session *tls,
iov[0].iov_len = sizeof(ad);
skip = sizeof(*hdr) + AES_BLOCK_LEN;
for (i = 1, n = m; n != NULL; n = n->m_next) {
- if (n->m_len < skip) {
+ if (n->m_len <= skip) {
skip -= n->m_len;
continue;
}