diff options
author | Dmitry Kasatkin <dmitry.kasatkin@intel.com> | 2012-01-26 19:13:25 +0200 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2012-02-02 00:23:38 +1100 |
commit | f58a08152ce4198a2a1da162b97ecf8264c24866 (patch) | |
tree | e430ef22210d8d6d41c0b7253978558a0f15f7a5 | |
parent | bc95eeadf5c6fd9e9840898a83a93718a0114b6d (diff) | |
download | op-kernel-dev-f58a08152ce4198a2a1da162b97ecf8264c24866.zip op-kernel-dev-f58a08152ce4198a2a1da162b97ecf8264c24866.tar.gz |
lib/digsig: additional sanity checks against badly formated key payload
Added sanity checks for possible wrongly formatted key payload data:
- minimum key payload size
- zero modulus length
- corrected upper key payload boundary.
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Reviewed-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r-- | lib/digsig.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/lib/digsig.c b/lib/digsig.c index fd2402f..5d840ac 100644 --- a/lib/digsig.c +++ b/lib/digsig.c @@ -105,6 +105,10 @@ static int digsig_verify_rsa(struct key *key, down_read(&key->sem); ukp = key->payload.data; + + if (ukp->datalen < sizeof(*pkh)) + goto err1; + pkh = (struct pubkey_hdr *)ukp->data; if (pkh->version != 1) @@ -117,7 +121,7 @@ static int digsig_verify_rsa(struct key *key, goto err1; datap = pkh->mpi; - endp = datap + ukp->datalen; + endp = ukp->data + ukp->datalen; for (i = 0; i < pkh->nmpi; i++) { unsigned int remaining = endp - datap; @@ -128,7 +132,8 @@ static int digsig_verify_rsa(struct key *key, mblen = mpi_get_nbits(pkey[0]); mlen = (mblen + 7)/8; - err = -ENOMEM; + if (mlen == 0) + goto err; out1 = kzalloc(mlen, GFP_KERNEL); if (!out1) |