summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDmitry Kasatkin <dmitry.kasatkin@intel.com>2012-01-26 18:13:25 +0100
committerJames Morris <jmorris@namei.org>2012-02-01 14:23:38 +0100
commitf58a08152ce4198a2a1da162b97ecf8264c24866 (patch)
treee430ef22210d8d6d41c0b7253978558a0f15f7a5
parentlib/mpi: removed unused functions (diff)
downloadlinux-f58a08152ce4198a2a1da162b97ecf8264c24866.tar.xz
linux-f58a08152ce4198a2a1da162b97ecf8264c24866.zip
lib/digsig: additional sanity checks against badly formated key payload
Added sanity checks for possible wrongly formatted key payload data: - minimum key payload size - zero modulus length - corrected upper key payload boundary. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Reviewed-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--lib/digsig.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/lib/digsig.c b/lib/digsig.c
index fd2402f67f89..5d840ac64fb1 100644
--- a/lib/digsig.c
+++ b/lib/digsig.c
@@ -105,6 +105,10 @@ static int digsig_verify_rsa(struct key *key,
down_read(&key->sem);
ukp = key->payload.data;
+
+ if (ukp->datalen < sizeof(*pkh))
+ goto err1;
+
pkh = (struct pubkey_hdr *)ukp->data;
if (pkh->version != 1)
@@ -117,7 +121,7 @@ static int digsig_verify_rsa(struct key *key,
goto err1;
datap = pkh->mpi;
- endp = datap + ukp->datalen;
+ endp = ukp->data + ukp->datalen;
for (i = 0; i < pkh->nmpi; i++) {
unsigned int remaining = endp - datap;
@@ -128,7 +132,8 @@ static int digsig_verify_rsa(struct key *key,
mblen = mpi_get_nbits(pkey[0]);
mlen = (mblen + 7)/8;
- err = -ENOMEM;
+ if (mlen == 0)
+ goto err;
out1 = kzalloc(mlen, GFP_KERNEL);
if (!out1)