git: 1756d1cab3ce - main - ktls CBC decrypt: Avoid creating zero length iovec entries

From: John Baldwin <jhb_at_FreeBSD.org>
Date: Tue, 30 Jun 2026 18:26:51 UTC
The branch main has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=1756d1cab3ce28085eec94a45c557e1af265ccd0

commit 1756d1cab3ce28085eec94a45c557e1af265ccd0
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2026-06-30 18:11:29 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2026-06-30 18:11:29 +0000

    ktls CBC decrypt: Avoid creating zero length iovec entries
    
    If an mbuf's length in the chain for an encrypted TLS record exactly
    matches the remaining length of header bytes to skip, skip the mbuf
    entirely rather than adding a zero-length iovec entry.
    
    Sponsored by:   Chelsio Communications
---
 sys/opencrypto/ktls_ocf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/opencrypto/ktls_ocf.c b/sys/opencrypto/ktls_ocf.c
index 87cbf0bd3311..81e130258747 100644
--- a/sys/opencrypto/ktls_ocf.c
+++ b/sys/opencrypto/ktls_ocf.c
@@ -500,7 +500,7 @@ ktls_ocf_tls_cbc_decrypt(struct ktls_session *tls,
 	iov[0].iov_len = sizeof(ad);
 	skip = sizeof(*hdr) + AES_BLOCK_LEN;
 	for (i = 1, n = m; n != NULL; n = n->m_next) {
-		if (n->m_len < skip) {
+		if (n->m_len <= skip) {
 			skip -= n->m_len;
 			continue;
 		}