From 701ba9cfe3f724d3b57d6397756a571d8469fbdf Mon Sep 17 00:00:00 2001 From: Ofer Heifetz Date: Thu, 2 Feb 2023 06:57:26 -0800 Subject: tls: openssl: fix SSL_read partial read scenario When application performs SSL_read from the app rx-fifo, it can pre-allocate multiple segments, but there is an issue if the OpenSSL manages to partially fill in the first segment, in this case, since data is assumed to be copied over by OpenSSL to the pre-allocated segments(s), vpp uses svm_fifo_enqueue_nocopy API which performs zero copy by passing the pre-allocated segment to SSL_read. If the decrypted data size is smaller than the pre-allocated fifo segment buffer size, application will fetch buffers including zero in the area not filled in by SSL_read. Type: fix Signed-off-by: Ofer Heifetz Change-Id: I941a89b17d567d86e5bd2c35785f1df043c33f38 (cherry picked from commit 905ec8797790380e134714e15ff3341eeeabb05e) --- src/plugins/tlsopenssl/tls_openssl.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c index 5ccc492328a..426bf2fe1e5 100644 --- a/src/plugins/tlsopenssl/tls_openssl.c +++ b/src/plugins/tlsopenssl/tls_openssl.c @@ -186,18 +186,20 @@ openssl_read_from_ssl_into_fifo (svm_fifo_t * f, SSL * ssl) return 0; } - for (i = 1; i < n_fs; i++) + if (read == (int) fs[0].len) { - rv = SSL_read (ssl, fs[i].data, fs[i].len); - read += rv > 0 ? rv : 0; - - if (rv < (int) fs[i].len) + for (i = 1; i < n_fs; i++) { - ossl_check_err_is_fatal (ssl, rv); - break; + rv = SSL_read (ssl, fs[i].data, fs[i].len); + read += rv > 0 ? rv : 0; + + if (rv < (int) fs[i].len) + { + ossl_check_err_is_fatal (ssl, rv); + break; + } } } - svm_fifo_enqueue_nocopy (f, read); return read; -- cgit 1.2.3-korg