summaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorNicolai Stange <nicstange@gmail.com>2016-05-26 23:19:53 +0200
committerHerbert Xu <herbert@gondor.apana.org.au>2016-05-31 10:42:00 +0200
commit7af791e0f0d00c14f01ba2ffe3b6e2b50a35fc6f (patch)
tree4ac6e6a42d23bbabe2d59dbd6cfd4678b226e12a /lib
parentlib/digsig: digsig_verify_rsa(): return -EINVAL if modulo length is zero (diff)
downloadlinux-7af791e0f0d00c14f01ba2ffe3b6e2b50a35fc6f.tar.xz
linux-7af791e0f0d00c14f01ba2ffe3b6e2b50a35fc6f.zip
lib/mpi: mpi_read_from_buffer(): return -EINVAL upon too short buffer
Currently, if the input buffer is shorter than the expected length as indicated by its first two bytes, an MPI instance of this expected length will be allocated and filled with as much data as is available. The rest will remain uninitialized. Instead of leaving this condition undetected, an error code should be reported to the caller. Since this situation indicates that the input buffer's first two bytes, encoding the number of expected bits, are garbled, -EINVAL is appropriate here. If the input buffer is shorter than indicated by its first two bytes, make mpi_read_from_buffer() return -EINVAL. Get rid of the 'nread' variable: with the new semantics, the total number of bytes read from the input buffer is known in advance. Signed-off-by: Nicolai Stange <nicstange@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'lib')
-rw-r--r--lib/mpi/mpicoder.c18
1 files changed, 8 insertions, 10 deletions
diff --git a/lib/mpi/mpicoder.c b/lib/mpi/mpicoder.c
index 350abaf4bee7..9c6f6b986682 100644
--- a/lib/mpi/mpicoder.c
+++ b/lib/mpi/mpicoder.c
@@ -81,7 +81,7 @@ MPI mpi_read_from_buffer(const void *xbuffer, unsigned *ret_nread)
{
const uint8_t *buffer = xbuffer;
int i, j;
- unsigned nbits, nbytes, nlimbs, nread = 0;
+ unsigned nbits, nbytes, nlimbs;
mpi_limb_t a;
MPI val = NULL;
@@ -94,9 +94,14 @@ MPI mpi_read_from_buffer(const void *xbuffer, unsigned *ret_nread)
return ERR_PTR(-EINVAL);
}
buffer += 2;
- nread = 2;
nbytes = DIV_ROUND_UP(nbits, 8);
+ if (nbytes + 2 > *ret_nread) {
+ printk("MPI: mpi larger than buffer nread=%d ret_nread=%d\n",
+ *ret_nread + 1, *ret_nread);
+ return ERR_PTR(-EINVAL);
+ }
+
nlimbs = DIV_ROUND_UP(nbytes, BYTES_PER_MPI_LIMB);
val = mpi_alloc(nlimbs);
if (!val)
@@ -109,12 +114,6 @@ MPI mpi_read_from_buffer(const void *xbuffer, unsigned *ret_nread)
for (; j > 0; j--) {
a = 0;
for (; i < BYTES_PER_MPI_LIMB; i++) {
- if (++nread > *ret_nread) {
- printk
- ("MPI: mpi larger than buffer nread=%d ret_nread=%d\n",
- nread, *ret_nread);
- goto leave;
- }
a <<= 8;
a |= *buffer++;
}
@@ -122,8 +121,7 @@ MPI mpi_read_from_buffer(const void *xbuffer, unsigned *ret_nread)
val->d[j - 1] = a;
}
-leave:
- *ret_nread = nread;
+ *ret_nread = nbytes + 2;
return val;
}
EXPORT_SYMBOL_GPL(mpi_read_from_buffer);