From 905ec8797790380e134714e15ff3341eeeabb05e Mon Sep 17 00:00:00 2001 From: Ofer Heifetz Date: Thu, 2 Feb 2023 06:57:26 -0800 Subject: tls: openssl: fix SSL_read partial read scenario When application performs SSL_read from the app rx-fifo, it can pre-allocate multiple segments, but there is an issue if the OpenSSL manages to partially fill in the first segment, in this case, since data is assumed to be copied over by OpenSSL to the pre-allocated segments(s), vpp uses svm_fifo_enqueue_nocopy API which performs zero copy by passing the pre-allocated segment to SSL_read. If the decrypted data size is smaller than the pre-allocated fifo segment buffer size, application will fetch buffers including zero in the area not filled in by SSL_read. Type: fix Signed-off-by: Ofer Heifetz Change-Id: I941a89b17d567d86e5bd2c35785f1df043c33f38 --- src/plugins/tlsopenssl/tls_openssl.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) (limited to 'src/plugins/tlsopenssl') diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c index 5ccc492328a..426bf2fe1e5 100644 --- a/src/plugins/tlsopenssl/tls_openssl.c +++ b/src/plugins/tlsopenssl/tls_openssl.c @@ -186,18 +186,20 @@ openssl_read_from_ssl_into_fifo (svm_fifo_t * f, SSL * ssl) return 0; } - for (i = 1; i < n_fs; i++) + if (read == (int) fs[0].len) { - rv = SSL_read (ssl, fs[i].data, fs[i].len); - read += rv > 0 ? rv : 0; - - if (rv < (int) fs[i].len) + for (i = 1; i < n_fs; i++) { - ossl_check_err_is_fatal (ssl, rv); - break; + rv = SSL_read (ssl, fs[i].data, fs[i].len); + read += rv > 0 ? rv : 0; + + if (rv < (int) fs[i].len) + { + ossl_check_err_is_fatal (ssl, rv); + break; + } } } - svm_fifo_enqueue_nocopy (f, read); return read; -- cgit 1.2.3-korg