Re: [PATCH net-next v2 2/5] tls: block decryption when a rekey is pending

2023-02-14, 21:09:25 -0800, Jakub Kicinski wrote:

On Tue, 14 Feb 2023 12:17:39 +0100 Sabrina Dubroca wrote:

...

@@ -2141,6 +2178,12 @@ ssize_t tls_sw_splice_read(struct socket *sock, loff_t *ppos, if (err < 0) return err;

• /* a rekey is pending, let userspace deal with it */
• if (unlikely(ctx->key_update_pending)) {

• err = -EKEYEXPIRED;
  

• goto splice_read_end;
  

• }

This will prevent splicing peek()'ed data. Just put the check in tls_rx_rec_wait().

Ok, I'll do that and add a selftest for this sequence of syscalls.