crypto: bcm - Fix pointer arithmetic

In spu2_dump_omd() value of ptr is increased by ciph_key_len
instead of hash_iv_len which could lead to going beyond the
buffer boundaries.
Fix this bug by changing ciph_key_len to hash_iv_len.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver")
Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/drivers/crypto/bcm/spu2.c b/drivers/crypto/bcm/spu2.c
index 07989bb8c220a4909cd07bb513330ae58cd0c888..3fdc64b5a65e7e9d27ac9d274f55e3d15f2b6822 100644 (file)
--- a/drivers/crypto/bcm/spu2.c
+++ b/drivers/crypto/bcm/spu2.c
@@ -495,7 +495,7 @@ static void spu2_dump_omd(u8 *omd, u16 hash_key_len, u16 ciph_key_len,
        if (hash_iv_len) {
                packet_log("  Hash IV Length %u bytes\n", hash_iv_len);
                packet_dump("  hash IV: ", ptr, hash_iv_len);
-               ptr += ciph_key_len;
+               ptr += hash_iv_len;
        }
 
        if (ciph_iv_len) {